A pivotal vulnerability unearthed in a prevalent software application is imperiling vast expanses of the Internet, setting the stage for catastrophic cyberattacks. Cyber adversaries are already maneuvering to exploit this flaw, researchers forewarn.
The implicated software, MOVEit, retailed by Progress Software, empowers enterprises to orchestrate file transfers and management via protocols like SFTP, SCP, and HTTP, ensuring compliance with regulatory edicts under PCI and HIPAA. When this bulletin was published, network scans revealed its deployment in nearly 1,800 networks globally, predominantly within the United States. An independent probe conducted by the security firm Censys on Tuesday uncovered 2,700 such installations.
Sowing Havoc with a Null String
Last annum, a critical MOVEit flaw resulted in the compromise of over 2,300 entities, including Shell, British Airways, the US Department of Energy, and Ontario’s governmental birth registry, BORN Ontario. This breach exposed data pertaining to 3.4 million individuals.
On Tuesday, Progress Software divulged CVE-2024-5806, a vulnerability that enables malefactors to circumvent authentication and exfiltrate sensitive data. This flaw, detected in the MOVEit SFTP module, boasts a severity rating of 9.1 out of 10. Within mere hours of this vulnerability’s public disclosure, hackers were already attempting to exploit it, according to researchers from the Shadowserver organization.
A meticulous technical dissection by the offensive security firm watchTowr Labs elucidated that the vulnerability in the MOVEit SFTP module can be exploited through at least two attack vectors. The most potent attack facilitates hackers employing a null string—a programming construct signifying no value—as a public encryption key during the authentication process. Consequently, the hacker can masquerade as an authenticated user.
“This constitutes a devastating breach,” penned the researchers at watchTowr Labs. “It permits anyone capable of placing a public key on the server to usurp the identity of any SFTP user. From this point, the intruder can perform all standard operations—read, write, or erase files, or otherwise sow chaos.”
Another attack delineated by the watchTowr researchers allows adversaries to retrieve cryptographic hashes concealing user passwords. This method manipulates SSH public key paths to execute a “forced authentication” via a nefarious SMB server and a valid username. The technique exposes the cryptographic hash obscuring the user password, which must subsequently be cracked.
The researchers indicated that the prerequisite of uploading a public key to a vulnerable server is not an especially formidable obstacle for attackers, given MOVEit’s primary function of file transfer. Additionally, deducing or guessing the usernames on a system isn’t particularly arduous. The watchTowr exposition also highlighted that their exploits leverage IPWorks SSH, a commercial product extended in MOVEit by Progress Software.
The Progress Software advisory stated: “A newly identified vulnerability in a third-party component used in MOVEit Transfer exacerbates the risk of the original issue if left unpatched. Although the patch released by Progress on June 11th successfully mitigates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces additional risk.”
The advisory urged customers to block inbound RDP access to MOVEit servers and restrict outbound access to known, trusted endpoints from MOVEit servers. A company representative declined to specify if the component was IPWorks SSH.
The vulnerability affects MOVEit Transfer versions:
- 2023.0.0 before 2023.0.11
- 2023.1.0 before 2023.1.6
- 2024.0.0 before 2024.0.2
Fixes for versions 2023.0.11, 2023.1.6, and 2024.0.2 are available here, here, and here, respectively.
Given the extensive damage caused by last year’s MOVEit vulnerability exploitation, it is plausible that this latest flaw could precipitate similar havoc. Administrators must urgently ascertain their vulnerability and take appropriate remedial actions.
This article was originally published on arstechnica. Read the original article.
FAQs
What is MOVEit and why is it important?
MOVEit is a software solution for secure file transfers, ensuring compliance with regulatory standards like PCI and HIPAA.
How was the vulnerability discovered?
Cybersecurity researchers identified the vulnerability through technical analysis and network scans.
What are the potential impacts of this vulnerability?
Exploitation of this vulnerability could lead to significant data breaches and operational disruptions for affected organizations.
How can organizations protect themselves?
Organizations should apply patches, implement multi-factor authentication, conduct regular security audits, and educate users about cybersecurity best practices.
What steps has Progress Software taken to address the issue?
Progress Software has released patches and issued advisories to mitigate the impact of the vulnerability, urging users to implement security measures promptly.