Progress Software disclosed two critical-severity authentication bypass flaws in its MOVEit Gateway and Transfer products on Tuesday. The Shadowserver Foundation, a nonprofit security organization, said that it has observed exploit attempts for one of the flaws in MOVEit Transfer "very shortly after vulnerability details were published" on Tuesday.
The latest flaw (CVE-2024-5806) in MOVEit Transfer, Progress Software’s managed file transfer software that is known for last year’s major, widely exploited zero-day bug, stems from improper authentication in the SSH File Transfer Protocol (SFTP) module and can enable an authentication bypass. Progress Software said the issue impacts MOVEit Transfer versions from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6 and from 2024.0.0 before 2024.0.2.
In addition to upgrading to fixed MOVEit Transfer versions (2023.0.11, 2023.1.6 and 2024.0.2) customers are urged to block any public, inbound RDP access to their MOVEit Transfer servers and limit outbound access to only known trusted endpoints from the servers.
“A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue… if left unpatched,” according to Progress Software in its Tuesday security alert. “While the patch distributed by Progress on June 11th successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk.”
While Progress Software has released only limited details of the MOVEit Transfer vulnerability, researchers with WatchTowr performed a deep-dive analysis of the issue and found that it’s a “serious vulnerability” that stems from the interaction between MOVEit and the IPWorks SSH library, which is a suite of components used to integrate SSH into applications.
“While this CVE is being touted as a vulnerability in Progress MOVEit, which is technically correct, we feel that what we’re actually seeing is not a case of a single issue, but two separate vulnerabilities, one in Progress MOVEit and one in IPWorks SSH server,” according to WatchTowr researchers Aliz Hammond and Sina Kheirkhah in the analysis. “While the more devastating vulnerability, the ability to impersonate arbitrary users, is unique to MOVEit, the less impactful (but still very real) forced authentication vulnerability is likely to affect all applications that use the IPWorks SSH server.”
There are several pieces of criteria that attackers would need to meet to be able to exploit this flaw. They would need to have knowledge of a valid username that exists on the SFTP subsystem (so they know who to impersonate), and that username would need to pass any IP-based restrictions from a targeted organization. Attackers would also need to know whether the SFTP service is exposed.
As an enterprise file transfer product that handles troves of sensitive data, MOVEit Transfer has previously been targeted by threat actors, including the Cl0p ransomware group. However, WatchTowr researchers noted that the flaw had been previously discovered and embargoed for weeks, and during that time Progress Software has likely been contacting customers to patch the issue and give them a leg up against threat actors.
A Progress Software spokesperson said that the company has not received any reports that the flaws have been exploited and are "not aware of any direct operational impact to customers."
"We recently internally confirmed vulnerabilities in MOVEit Transfer and MOVEit Gateway, notified those customers and made patches available," said the spokesperson. "Following industry best practice for responsible disclosure, we published the CVEs two weeks after notifying our customers and releasing the patch. The time period between patch release and CVE publication allowed our customers the ability to patch before public disclosure, decreasing the likelihood of exploitation."
Progress Software also patched a second critical-severity authentication bypass flaw this week (CVE-2024-5805) in MOVEit Gateway, which is a proxy service that can be used alongside deployments of the MOVEit Transfer file transfer software. The flaw stems from an improper authentication issue in version 2024.0.0, and a fix exists in version 2024.0.1.
“A patch is available for CVE-2024-5805 and should be applied on an emergency basis for organizations running MOVEit Gateway,” according to Rapid7 vulnerability researcher Ryan Emmons in an analysis of the flaw.
This article was updated on June 26 to include a comment from Progress Software.