In early June 2024, watchTowr Labs identified a critical authentication bypass vulnerability (CVE-2024-5806) in the SFTP module of Progress Software’s MOVEit Transfer and MOVEit Cloud file transfer solutions. This vulnerability allows attackers to bypass authentication protocols and gain unauthorised access to sensitive data by manipulating parameters during the SSH authentication process.
Background:
Progress Software un-embargoed the vulnerability on June 25, 2024. MOVEit Transfer, a widely-used solution for transferring critical business information, was previously exploited by the Cl0p ransomware group, which used a zero-day SQL injection vulnerability to compromise several high-profile organisations, including the BBC and FBI. This new vulnerability poses a similar threat due to MOVEit’s significant role in handling essential business data.
Exploitation Details:
Researchers at watchTowr and Rapid7 discovered that an attacker could exploit this vulnerability by manipulating SSH authentication parameters. Specifically, they found that the server treats binary key data as a file path, enabling unauthorised file access. This flaw allows attackers to impersonate any user on the server, gaining full access to their files.
Mitigation:
Progress Software has issued patches for MOVEit Transfer versions 2024.0.2, 2023.1.6, and 2023.0.11, and MOVEit Gateway versions 2024.0.1 and later. All MOVEit Transfer and MOVEit Cloud users are strongly advised to apply these patches immediately to protect against potential exploitation.
To Sum Up:
This vulnerability underscores the importance of proactive security measures and timely patching. As attackers continue to exploit such flaws, organisations must remain vigilant and ensure their systems are updated with the latest security patches to prevent unauthorised access and data breaches. Stay informed and secure your MOVEit deployments to mitigate this critical threat.
