Critical Vulnerability in MOVEit Transfer (CVE-2024-5806)
Executive Summary
On June 25th, software company Progress publicly disclosed a critical severity vulnerability in their managed file transfer software application, MOVEit Transfer. The vulnerability is being tracked as CVE-2024-5806 and allows a remote attacker to bypass authentication and log in as any valid user on the system. This access could enable the attacker to download files accessible to any user on the MOVEit appliance. Since these appliances are typically used to securely transfer sensitive information, bypassing authentication mechanisms could result in the unauthorized download of a large amount of sensitive data stored on the MOVEit appliance.
Progress discovered this vulnerability internally prior to the disclosure and began distribution the patch on June 11th. At the time, they started privately communicating with and assisting affected users. The June 25th advisory was the first public disclosure. A third party security firm, Watchtowr, also published a detailed technical writeup of the advisory and Proof of Concept (PoC) exploit code on their blog. The vulnerability is complicated and can potentially be exploited a variety of ways. The Watchtowr writeup provides enough detail that Beazley Security expects financially motivated threat actors to develop and deploy weaponized exploits for this vulnerability over the coming few days. Researchers have already begun seeing attempted scans to identify vulnerable MOVEit instances. It should also be noted that the last time a critical vulnerability was found in MOVEit, the cl0p threat actor group exploited it in a widespread and highly damaging ransomware campaign.
Given these factors, Beazley Security is strongly recommending that organizations with internet exposed MOVEit transfer appliances apply Progress’ provided software patches as soon as possible.
Affected Systems / Products
The vulnerability affects the following Progress products:
- MOVEit Transfer from 2023.0.0 to before 2023.0.11
- MOVEit Transfer from 2023.1.0 to before 2023.1.6
- MOVEit Transfer from 2024.0.0 to before 2024.0.2
Progress provides instructions to verify MOVEit versions for clients here.
Mitigations / Workarounds
Beazley Security is not aware of any temporary mitigations or workarounds to address this vulnerability. The vendor provided software patch is the only solution.
Beazley Security will monitor Client’s endpoints through its MDR services utilizing some or all of the assets outlined below. This description outlines the Scope of Work's primary nature and is not an exhaustive list of support and service(s).
Patches
Progress has provided patch instructions in their advisory here. MOVEit cloud clients do not need to take any action, as their patches have already been applied. MOVEit Transfer clients on a current maintenance agreement have been instructed to access the upgrade by logging into the Progress Community.
Technical Details
The most comprehensive description of the vulnerability and how exploitation works can be found in the Watchtowr writeup. The software bug is essentially that an underlying system that handles authentication keys will, in a specific case, treat raw key data as a file path. This is a critical error, because:
- Treating data as a file path can lead to un-intended side effects, and
- This key data can be sent remotely by an attacker without authenticating
This has resulted in a vulnerability that Watchtowr researchers reported can be exploited in three ways described below.
Attack Scenario: Forced Authentication
The first attack scenario involves tricking the MOVEit server into connecting to an attacker-controlled machine to access a key. The attacker could then extract and crack an NTLM password hash from the connection.
This scenario requires the targeted MOVEit server to be able to connect to remote hosts over the Internet via SMB. While that type of traffic is often not allowed, it should not be assumed to be blocked. If this attack is successful, it will give an attacker access to the MOVEit service account.
The attack would look as follows:
Attack Scenario: Key Upload
The second attack scenario is more interesting. It is somewhat limited in that an attacker would need to:
- know an existing username, and
- be able to upload a key to the target MOVEit server
If an attacker can satisfy these conditions, they can login with the known username, but without having to use a password or legitimate key.
The attack would look as follows:
Attack Scenario: Key Injection
The third attack scenario is the most interesting and potentially dangerous. Watchtowr researchers discovered that for the following MOVEit Transfer API endpoint:
https://<target>/guestaccess.aspx/
This API will log HTTP POST requests in a way that an attacker can inject a key they control onto the server without having to use legitimate file upload processes. The attacker would still have to know an existing username but could login without knowing the password or having legitimate keys.
The attack would look as follows:
Attack Scenario: Username Enumeration
Both above attack scenarios require a threat actor to know an existing username on the victim MOVEit server, and Watchtowr detailed a method they developed to enumerate usernames on a target machine.
This cleverly uses the first attack scenario of passing an arbitrary network UNC path as a key to check if a guessed username is legitimate. If the attacker sets up a remote server to listen for these key requests, then starts testing usernames against the target MOVEit server, the MOVEit server will connect to the attacker-controlled server if a given username exists.
The enumeration attack would look as follows:
Detection Guidance
A threat actor attacking this vulnerability will have to eventually attempt an SFTP login, so threat hunts and detection strategies should center around that.
If an attacker attempts the username enumeration method detailed above, threat hunts should look for:
- Large amounts of brute force style SFTP attempts
- Suspicious outbound network connections from MOVEit processes during SFTP authentication
If an attacker attempts to use the “Key Upload” attack scenario, threat hunts should look for:
- Suspicious file uploads
- Suspicious file access by MOVEit processes during SFTP authentication
If an attacker attempts to use the “Key Injection” attack scenario, threat hunts should look for:
- Remote use of the guestaccess.aspx API
- POST requests to that API containing encryption keys
- guestaccess.aspx logs containing encryption keys
- Suspicious file access of log files by MOVEit processes during SFTP authentication
How Beazley Security is Responding
Beazley Security is monitoring client perimeter devices discovered by Karma to identify potentially impacted devices and support organizations in remediation of any issues found.
Sources
Aware of an incident impacting your industry? Let us know: