MOVEit Transfer Privilege Escalation and Potential Unauthorized Access Vulnerability (CVE-2023-35708)

Progress has discovered a privilege escalation vulnerability in the MOVEit Transfer web application (CVE-2023-35708). On successful exploitation, the vulnerability may allow an attacker to gain unauthorized access to the MOVEit Transfer database. There is no evidence to suggest that the vulnerability is being exploited in the wild.

MOVEit Transfer is a managed file transfer (MFT) solution available in an on-premises solution. It offers file encryption security, activity tracking, tamper-evident logging, centralized access controls, and ensuring management and control. The tool provides smooth file transfer between business partners and customers using SFTP, SCP, and HTTP-based uploads. The tool is compatible with SLAs, internal governance requirements, and regulations like PCI, HIPAA, CCPA/CPRA, and GDPR.

An unauthenticated attacker can exploit the SQL injection vulnerability in the MOVEit Transfer web application to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a specially crafted payload to a MOVEit Transfer application endpoint to modify and disclose MOVEit database content.

Affected Versions

  • MOVEit Transfer 2023.0.x versions before 2023.0.3
  • MOVEit Transfer 2022.1.x versions before 2022.1.7 
  • MOVEit Transfer 2022.0.x versions before 2022.0.6
  • MOVEit Transfer 2021.1.x versions before 2021.1.6
  • MOVEit Transfer 2021.0.x versions before 2021.0.8
  • MOVEit Transfer 2021.0.x versions before 2020.1.10

Mitigation

The vendor has suggested the following two methods to patch the vulnerability.

  1. DLL drop-In
Required Version for DLL Drop-In Fixed Version (DLL drop-in)
MOVEit Transfer 2023.0.1, 2023.0.2 (15.0.1, 15.0.2)  MOVEit Transfer 2023.0.3 (15.0.3) 
MOVEit Transfer 2022.1.5, 2022.1.6 (14.1.5, 14.1.6)  MOVEit Transfer 2022.1.7 (14.1.7) 
MOVEit Transfer 2022.0.4, 2022.0.5 (14.0.4, 14.0.5)  MOVEit Transfer 2022.0.6 (14.0.6) 
MOVEit Transfer 2021.1.4, 2021.1.5 (13.1.4, 13.1.5)  MOVEit Transfer 2021.1.6 (13.1.6)
MOVEit Transfer 2021.0.6, 2021.0.7 (13.0.6, 13.0.7)  MOVEit Transfer 2021.0.8 (13.0.8) 
MOVEit Transfer 2020.1.6 (12.1.6) or later MOVEit Transfer 2020.1.10 (12.1.10) 
MOVEit Transfer 2020.0.x (12.0) or older MUST upgrade to a supported version

NOTE: Please read the README.txt before attempting the DLL Drop-in Install. Do not leave old versions of these DLL files on the system. They must be completely removed, not just renamed.

  1. Full Installer
Affected Version Fixed Version (full installer)
MOVEit Transfer 2023.0.x (15.0.x)  MOVEit Transfer 2023.03 (15.0.3)
MOVEit Transfer 2022.1.x (14.1.x) MOVEit Transfer 2022.1.7 (14.1.7)
MOVEit Transfer 2022.0.x (14.0.x)  MOVEit Transfer 2022.0.6 (14.0.6) 
MOVEit Transfer 2021.1.x (13.1.x)    MOVEit Transfer 2021.1.6 (13.1.6)
MOVEit Transfer 2021.0.x (13.0.x) MOVEit Transfer 2021.0.8 (13.0.8)
MOVEit Transfer 2020.1.x (12.1) Must update to at least 2020.1.6, then apply DLL Drop-ins above
MOVEit Transfer 2020.0.x (12.0) or older MUST upgrade to a supported version
MOVEit Cloud Prod: 14.1.6.97 or 14.0.5.45
Test: 15.0.2.39

For more information, please refer to the MOVEit Security Advisory.

The advisory has provided mitigation steps to help prevent unauthorized access to your MOVEit Transfer environment. The mitigation steps can be applied before applying the June 15th patch (CVE-2023-35708).

  1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. More specifically:
  • Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443. 
  • It is important to note that until HTTP and HTTPS traffic is enabled again:
    • Users cannot log on to the MOVEit Transfer web UI.
    • MOVEit Automation tasks that use the native MOVEit Transfer host will not work.
    • REST, Java, and .NET APIs will not work.
    • MOVEit Transfer add-in for Outlook will not work.
  • SFTP and FTP/s protocols will continue to work as normal.
  1. As a workaround

Administrators can still access MOVEit Transfer using a remote desktop to access the Windows machine and then accessing  https://localhost/.

For more information on localhost connections, please refer to the MOVEit Transfer Help.

  1. Apply the Patch

As patches for supported MOVEit Transfer versions become available, links will be provided below. Supported versions are listed at the following link: https://community.progress.com/s/products/moveit/product-lifecycle. Please note the license file can remain the same when staying on a major release to apply the patch.

  1. Enable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
  1. Please bookmark the Progress Security Page and refer to it to ensure you have all the latest updates.

Qualys Detection

Qualys customers can scan their devices with QID 378591 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References

https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023

Leave a Reply

Your email address will not be published. Required fields are marked *