New MOVEit Critical Bug Sees Swift Exploitation Attempts

A MOVEit Transfer authentication bypass vulnerability disclosed Tuesday is now being targeted by threat actors, and customers are urged to apply patches on an emergency basis.

The flaw tracked as CVE-2024-5806 was given a CVSS critical score of 9.1 by MOVEit Transfer provider Progress Software Corporation, which began distributing a patch on June 11 prior to the June 25 public disclosure.

CVE-2024-5806 is a bug in the MOVEit Transfer Secure File Transfer Protocol (SFTP) service that affects 2023.0.0 versions prior to the fixed version 2023.0.11, 2023.1.0 versions prior to 2023.1.6 and 2024.0.0 prior to 2024.0.2. Attackers could exploit the flaw to access accounts without knowing credentials.

Within hours of the advisory’s publication, The Shadowserver Foundation detected exploitation attempts targeting vulnerability on honeypot systems.

“While there’s a lot of unknowns surrounding the flaw at the present time, we have yet to see any acknowledgement of exploitation in the wild,” noted Scott Caveza, a staff research engineer at Tenable, in an email to SC Media. “Despite this, we’re still urging customers to patch this vulnerability as soon as possible.”

2,700 MOVEit Transfer instances exposed online

While the Progress advisory does not provide further details about how the bug could be exploited, Rapid7 published a blog explaining that an attacker would need to target an account that can be authenticated remotely, the SFTP instance would need to be exposed and the targeted account’s username would need to be known by the attacker.

The blog author noted that attackers may spray usernames to discover vulnerable accounts. And, according to Censys, approximately 2,700 MOVEit Transfer instances, mostly from the United States, were exposed online at the time that the advisory was published. However, it is unknown how many exposed instances remained vulnerable to the flaw.

“When compared to MOVEit Transfer exposure numbers from 2023, then numbers are remarkably similar, as are the geographies and networks where MOVEit Transfer is observed,” Censys stated.

Last May, a critical SQL injection vulnerability in MOVEit Transfer, tracked as CVE-2023-34362, was massively exploited by the Cl0p ransomware group in a widespread supply chain attack affecting more than 2,500 organizations and more than 64 million individuals, and counting.

“It’s not that MOVEit is necessarily less secure than any other product, however the earlier successes exploiting the product is going to keep it in the crosshairs for security researchers and bad actors alike,” said Erich Kron, security awareness advocate at KnowBe4, in an email to SC Media. “Users of the software need to ensure they have a plan in place for rapid patch deployment and threat mitigation. When new vulnerabilities become exposed, organizations are going to want to be agile enough to shut the door on the threats immediately.”

Although CVE-2024-5806 may have a smaller attack surface, as it affects fewer versions than CVE-2023-34362, the potential devastating consequences of the critical authentication bypass flaw makes the need to patch affected versions especially urgent.

“Rapid7 recommends installing the vendor-provided patches for CVE-2024-5806 on an emergency basis, without waiting for a regular patch cycle to occur,” the security company stated.

PoC exploit, technical details of CVE-2024-5806 now publicly available

Progress’ early notification efforts and distribution of the patch for CVE-2024-5806 gave cyber defenders at least a two-week head start to defend against anticipated exploitations. Within 20 minutes of the flaw being publicly disclosed, researchers at watchTowr published a proof-of-concept exploit for the vulnerability, stating they were “lucky enough to receive a tip-off” enabling them to analyze CVE-2024-5806 prior to the embargo lifting.

watchTowr also published their in-depth technical analysis of the flaw and its exploitation on Tuesday, describing how authentication can be achieved by providing a valid username and SSH public key.

“CVE-2024-5806 is a severe vulnerability, however based on the detailed analysis and exploit code from researchers at watchTowr, it does appear that this vulnerability is not easily weaponizable and still requires an attacker to take additional steps in order to exploit a potential target,” said Caveza.

watchTowr also noted that an apparent vulnerability in the IPWorks SSH component of MOVEit facilitates the exploitation of CVE-2024-5806.

“While the more devastating vulnerability, the ability to impersonate arbitrary users, is unique to MOVEit, the less impactful (but still very real) forced authentication vulnerability is likely to affect all applications that use the IPWorks SSH server,” the researchers noted.

Progress updated its advisory on Tuesday night upgrading the CVSS score of CVE-2024-5806 to its current 9.1 and disclosing a “newly identified 3rd party vulnerability” that has yet to be patched, without stating whether the update was in reference to the IPWorks SSH server flaw.

The updated advisory states the third-party flaw is not addressed by the June 11 patch and customers are recommended to block public inbound RDP access to MOVEit Transfer servers and limit outbound access only to known trusted endpoints.

“While this is not the first time we’ve seen a vendor take measures to protectively warn and secure customers prior to public acknowledgement of a vulnerability, it could have been a risky move. An unknown individual tipped watchTowr off to the vulnerability well before it became public knowledge. If this individual had malicious intentions, this information could have easily been given to threat actor groups to develop an exploit and abuse the flaw,” Caveza noted.

Another critical flaw, tracked as CVE-2024-5805, in MOVEit Gateway was also disclosed by Progress on Tuesday, and only affects MOVEit Gateway 2024.0.0. This flaw also has a CVSS score of 9.1 and could allow for authentication bypass.

READ MORE HERE