A critical SQL injection vulnerability (CVE-2023-34362) affecting the MOVEit Transfer managed file transfer application is being exploited in the wild. The vulnerability may result in elevated privileges and unauthorized access to the MOVEit transfer’s database.
CISA has added this critical vulnerability to its Known Exploited Vulnerabilities Catalog, requesting users to patch it before 23rd June 2023.
MOVEit Transfer is a managed file transfer (MFT) solution available in an on-premises solution. It offers file encryption security, activity tracking, tamper-evident logging, and centralized access controls, ensuring management and control. The tool provides smooth file transfer between business partners and customers using SFTP, SCP, and HTTP-based uploads. The tool is compatible with SLAs, internal governance requirements, and regulations like PCI, HIPAA, CCPA/CPRA, and GDPR.
An unauthenticated attacker may access the MOVEit Transfer database through this SQL injection vulnerability in the web application. An attacker may also gather information about the structure and contents of the database based on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL).
After successfully exploiting the vulnerability, an attacker deploys a newly discovered webshell LEMURLOOT with filenames. The webshell pretends itself as human.aspx, a legitimate component of the MOVEit Transfer software. The webshell LEMURLOOT was explicitly created to communicate with the MOVEit Transfer platform.
It can perform the following actions:
- Extract Azure system settings
- Access confidential record information
- Create and insert a specific user, or delete this same user
- Run instructions to download files from the MOVEit Transfer system
Authentication and Database Connection
LEMURLOOT supports various parameters. Depending upon the parameter being used, specific actions are triggered.
At first, LEMURLOOT checks if an incoming HTTP request contains the header field X-siLock-Comment and a corresponding 36-character GUID-formatted value. The GUID value is used as a password. If this value does not pass the expected header field and value, it returns an HTTP 404 status code to clients.
If the correct password is passed through LEMURLOOT, it sends a header response X-siLock-Comment and value comment. This indicates that the connection is successful. LEMURLOOT connects itself to a SQL server from the execution host. It then processes data received from the connected client and parses expected commands from the HTTP header fields X-siLock-Step1, X-siLock-Step2, and X-siLock-Step3.
X-siLock-Step1 is the primary parameter used for access. X-siLock-Step2 specifies a directory, and X-siLock-Step3 specifies a filename.
When the X-siLock-Comment is set with the correct password string, the X-siLock-Step1 will define the actions that will be performed on the exploited system as follows:
- If the value of the header field X-siLock-Step1 is –1
LEMURLOOT will return critical Azure Blob information, including Storage Account, Key, and Container IDs. It will also return a list of all files and folders stored in MOVEit, along with details of the file owners, file sizes, and institution names mentioned in the MOVEit Transfer system. An attacker may target specific files associated with specific users or organizations.
- If the X-siLock-Step1 header field value is –2
LEMURLOOT will delete the new database admin user named “Health Check Service” admin user.
- If the value of header field X-siLock-Step1 is neither -1 nor –2
LEMURLOOT will parse the values from header fields X-siLock-Step2 and X-siLock-Step3 and store them in fileid and folderid variables, respectively.
- If the values of fileid and folderid are not null
LEMURLOOT will retrieve the file from the local MOVEit Transfer system with these same values. gzip will compress the file and return it to the connected client.
- If the fileid and folderid variables are null
LEMURLOOT will download the file defined by X-siLock-Step2 and X-siLock-Step3. Without parameters, human2.aspx will create a new database admin user named “Health Check Service.”
- MOVEit Transfer 2023.0.x versions before 2023.0.1
- MOVEit Transfer 2022.1.x versions before 2022.1.5
- MOVEit Transfer 2022.0.x versions before 2022.0.4
- MOVEit Transfer 2021.1.x versions before 2021.1.4
- MOVEit Transfer 2021.0.x versions before 2021.0.6
- MOVEit Transfer 2023.0.1
- MOVEit Transfer 2022.1.5
- MOVEit Transfer 2022.0.4
- MOVEit Transfer 2021.1.4
- MOVEit Transfer 2021.0.6
For more information, please refer to the MOVEit Security Advisory.
- Disable all HTTP and HTTPS traffic to your MOVEit Transfer environment
Modify firewall rules to deny HTTP and HTTPS traffic to MOVEit Transfer on ports 80 and 443 until the patch is applied.
It is important to note that until HTTP and HTTPS traffic is enabled again:
- Users cannot log on to the MOVEit Transfer web UI.
- MOVEit Automation tasks that use the native MOVEit Transfer host will not work.
- REST, Java, and .NET APIs will not work.
- MOVEit Transfer add-in for Outlook will not work.
Note: SFTP and FTP/s protocols will continue to work as usual. Administrators can still access MOVEit Transfer using a remote desktop to access the Windows machine and then accessing https://localhost/. For more information on localhost connections, please refer to MOVEit Transfer Help.
- Review, Delete, and Reset
- Delete Unauthorized Files and User Accounts
- Delete any instances of the human2.aspx and .cmdline script files.
- On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.
- On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline.
- Remove any unauthorized user accounts. See the Progress MOVEit Users Documentation article.
- Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded. Please refer to the MOVEit Transfer Logs guide for more information on reviewing logs.
- Reset Credentials
- Delete Unauthorized Files and User Accounts
Reset service account credentials for affected systems and MOVEit Service Account.
- Apply the Patch
Supported versions are listed at the following link: https://community.progress.com/s/products/moveit/product-lifecycle. Please note the license file can remain the same to apply the patch.
- Enable all HTTP and HTTPS traffic to your MOVEit Transfer environment.
To confirm the files have been successfully deleted and no unauthorized accounts remain, follow steps 2A again. If you find compromised indicators, you should reset the service account credentials again.
- Continuous Monitoring
Monitor network, endpoints, and logs for IoCs (Indicators of Compromise) as listed in the MOVEit Security Advisory.
Qualys customers can scan their devices with QID 378543 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.