Multiple Denial of Service and SQL injection vulnerabilities are discovered in the Service Pack program for MOVEit products, including MOVEit Transfer and MOVEit Automation. CVE-2023-36934 is rated as critical, while CVE-2023-36932 and CVE-2023-36933 are rated High. Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorized access to the MOVEit Transfer database and terminate the MOVEit service unexpectedly.
MOVEit Transfer is a Managed File Transfer (MFT) solution available on-premises. It offers file encryption security, activity tracking, tamper-evident logging, centralized access controls, and ensuring management and control. The tool provides smooth file transfer between business partners and customers using SFTP, SCP, and HTTP-based uploads. It is compatible with SLAs, internal governance requirements, and regulations like PCI, HIPAA, CCPA/CPRA, and GDPR.
CVE-2023-36934
Guy Lederfein of Trend Micro, working with the Zero Day Initiative, has discovered the vulnerability. The SQL injection vulnerability allows remote attackers to bypass authentication on the affected systems. The vulnerability exists in human.aspx endpoint. An unauthenticated attacker may send a crafted request to trigger SQL query execution composed of a user-supplied string. Successful exploitation of the vulnerability may lead to modification and disclosure of MOVEit database content.
CVE-2023-36933
The vulnerability allows an attacker to invoke a method that results in an unhandled exception. Triggering this workflow can cause the MOVEit Transfer application to terminate unexpectedly.
CVE-2023-36932
An attacker is required to get authentication to exploit the SQL injection vulnerability. An authenticated attacker may exploit this vulnerability by sending a crafted payload to a MOVEit Transfer application endpoint. Successful exploitation of the vulnerability may lead to modification and disclosure of MOVEit database content.
Affected Versions
The vulnerabilities affect Progress MOVEit Transfer versions before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4).
Mitigation
MOVEit has released patches to address the vulnerabilities. For more information, please refer to the MOVEit Security Advisory.
Please perform the following to implement the fix:
- Ensure you are on MOVEit Transfer 2020.1.6 (12.1.6) or a later version of 2020.1 (12.1).
- Installer for MOVEit Transfer 12.1.6.
- Stop all services and close the Config utility.
- Unzip the file located at the URL in the table above.
- Follow the instructions in the README.txt file to identify the locations to place each file.
- Restart MOVEit services.
Qualys Detection
Qualys customers can scan their devices with QIDs 378633 and 378634 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.zerodayinitiative.com/advisories/ZDI-23-897/
https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023