UPDATE: June 27, 2024: Progress Software upgraded the severity score of a MOVEit file-transfer service vulnerability, CVE-2024-5806, from a 7.4 to 9.1 on Tuesday. “A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue mentioned above if left unpatched,” the company said in the updated advisory. “While the patch distributed by Progress on June 11 successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk.”
Dive Brief:
- Progress Software disclosed a pair of authentication bypass vulnerabilities in its widely used MOVEit file-transfer service Tuesday. The company issued advisories for CVE-2024-5805, which has a CVSS of 9.1, in Progress MOVEit Gateway and CVE-2024-5806, which has a CVSS of 9.1, in Progress MOVEit Transfer.
- The enterprise software vendor said it notified customers and provided patches for the vulnerabilities on June 11. Progress has not received any reports of active exploitation or direct operational impact to customers, Danielle Sutherby, marketing communications manager at Progress Software, said Tuesday via email.
- Attackers can exploit the authentication bypass vulnerabilities to gain access to potentially sensitive data. Researchers at Censys and Rapid7 haven’t observed exploitation in customer environments, but a proof-of-concept exploit for CVE-2024-5806 is publicly available. Shadowserver said it observed exploit attempts Tuesday soon after Progress disclosed the vulnerability.
Dive Insight:
The vulnerabilities arrive just over a year after MOVEit customers were caught in a spree of attacks linked to a widely exploited zero-day vulnerability in the file-transfer service.
By the end of 2023, the ransomware group Clop compromised more than 2,700 organizations and exposed more than 93 million personal records held in MOVEit environments. More than 4 in 5 victim organizations had no relationship with Progress, yet were impacted up by third-party vendors who did.
With the most significant cyberattack of 2023 fresh on their minds, researchers and threat hunters are only moderately concerned about the potential for a new wave of attacks against MOVEit customers. Censys observed 2,700 publicly exposed instances of MOVEit on Tuesday.
“While this is a serious vulnerability, the limited circumstances in which it seems it can be exploited would appear to make it somewhat less serious than the vulnerability exploited by Clop last year,” said Brett Callow, threat analyst at Emsisoft.
The steps required to exploit CVE-2024-5806, the vulnerability in MOVEit Transfer, are complicated but not impossible to achieve, as researchers at watchTowr Labs explained Tuesday in an exhaustive blog post about the steps it took to achieve exploitation.
“While MOVE has suffered some no brainer vulnerabilities in the past, this issue does not fall into the simple-error-that-should-not-have-made-it-into-hardened-software category,” watchTowr researchers said in the blog.
Performing an attack would be trivial for attackers that have the address to a vulnerable MOVEit instance and a valid username, Jared Semrau, senior manager of vulnerability and exploitation at Mandiant Intelligence, said Tuesday via email.
The additional CVE Progress disclosed Tuesday, a critical authentication bypass vulnerability, affects MOVEit Gateway, a component designed to proxy traffic to and from MOVEit Transfer instances.
Progress disclosed the vulnerabilities the same day it reported earnings for its fiscal second quarter, which ended May 31. It did not address the latest CVEs during the earnings call.
“Last month we passed the one-year anniversary of the attack on our customers’ MOVEit environments,” Progress Software President and CEO Yogesh Gupta said Tuesday on the call. “It is important to note that the business has remained solid, MOVEit annual recurring revenue has grown over that period and customers continue to be pleased with the way we’ve been working with them.”
Progress and researchers encourage MOVEit customers to upgrade to patched versions of the products on an emergency basis.