Critical MOVEit vulnerability puts large areas of the Internet at serious risk

A recently discovered critical vulnerability in widely used software is putting large swaths of the Internet at risk of devastating attacks, and attackers have already begun actively trying to exploit it in real-world attacks, researchers warn.

The software, known as MOVEit and sold by Progress Software, allows businesses to transfer and manage files using various specifications, including SFTP, SCP and HTTP protocols, and in a manner that complies with regulations required by PCI and HIPAA. At the time this post was published, Internet scans indicated it was installed within nearly 1,800 networks worldwide, with the largest number in the U.S. A separate analysis conducted Tuesday by security firm Censys found 2,700 such cases.

Causing chaos with a null string

Last year, a critical MOVEit vulnerability compromised more than 2,300 organizations, including Shell, British Airways, the US Department of Energy, and the Ontario government’s birth registry, BORN Ontario, the latter of which compromised 3.4 a million people.

On Tuesday, Progress Software disclosed CVE-2024-5806, a vulnerability that allows attackers to bypass authentication and gain access to sensitive data. The vulnerability, found in the SFTP module MOVEit, has a severity rating of 9.1 out of 10. Within hours of the vulnerability becoming public, hackers were already trying to exploit it, researchers from the organization Shadowserver said.

A deep technical analysis by researchers at offensive security firm watchTowr Labs said the vulnerability, found in MOVEit’s SFTP module, can be exploited in at least two attack scenarios. The most powerful attack allows hackers to use a null string (a programming concept that means there is no value) as a public encryption key during the authentication process. As a result, the hacker can log in as an existing trusted user.

“This is a devastating attack,” wrote watchTowr Labs researchers. “It allows anyone who can place a public key on the server to assume the identity of any SFTP user. From here, this user can perform all the usual operations: read, write or delete files, or otherwise cause chaos.”

A separate attack described by watchTowr researchers allows attackers to obtain cryptographic hashes that mask user passwords. It works by manipulating SSH public key paths to perform “forced authentication” using a malicious SMB server and a valid username. The technique will expose the cryptographic hash that masks the user’s password. The hashish, in turn, must be cracked.

The researchers said that the requirements of uploading a public key to a vulnerable server is not a particularly high hurdle for attackers, because the entire purpose of MOVEit is to transfer files. It’s also not particularly difficult to learn or guess the names of a system’s user accounts. The watchTowr post also noted that their exploits use IPWorks SSH, a commercial product that Progress Software extends in MOVEit.

The Progress Software advisory said: “A newly identified vulnerability in a third-party component used in MOVEit Transfer raises the risk of the original issue mentioned above if left unpatched. While the patch distributed by Progress on June 11 successfully addresses the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces a new risk.”

The post recommended customers ensure inbound RDP access to MOVEit servers is blocked and restrict outbound access to known trusted endpoints from MOVEit servers. A company representative declined to say whether that component was IPWorks SSH.

The vulnerability affects the versions of MOVEit Transfer:

  • 2023.0.0 before 2023.0.11
  • 2023.1.0 before 2023.1.6
  • 2024.0.0 before 2024.0.2

Fixes for 2023.0.11, 2023.1.6, and 2024.0.2 are available here, here, and here, respectively. MOVEit users can check which version they are running using this link.

Given the damage resulting from last year’s massive exploitation of the MOVEit vulnerability, it is likely that the latter could follow a similar path. Affected administrators should prioritize investigating if they are vulnerable as soon as possible and respond appropriately. Additional analysis and guidance is available here and here.

Leave a Comment