Multiple Vulnerabilities in Progress MOVEit Products Could Allow Authentication Bypass


MS-ISAC NOTICE NUMBER:

2024-075

PUBLICATION DATES:

06/25/2024

PREVIEW:

Several vulnerabilities have been discovered in MOVEit products, which could allow authentication to be bypassed.

  • MOVEit Gateway acts as a proxy between incoming public network connections and your internal trusted network.
  • MOVEit Transfer is a managed and secure file transfer application.

Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication. An attacker could then view, modify, or delete data, or create new accounts with full user rights.

THREAT INTELLIGENCE:

PoC code for CVE-2024-5806 has been released into the wild.* MOVEit Gateway versions prior to 2024.0.1

AFFECTED SYSTEMS:

  • MOVEit Gateway versions prior to 2024.0.1
  • MOVEit Transfer versions prior to 2024.0.2, 2023.1.6, and 2023.0.11

RISK:

Government:

Large and medium government entitiesHIGH

Small governmentMEDIUM

Companies:

Large and medium business entitiesHIGH

Small business entitiesMEDIUM

TECHNICAL SUMMARY:

Several vulnerabilities have been discovered in MOVEit products, which could allow authentication to be bypassed. The details of the vulnerability are as follows:

Tactical: Initial access (TA0001):

Technical: Operate a public application (T1190):

  • Improper authentication vulnerability in Progress MOVEit Gateway (SFTP module) allows authentication bypass. (CVE-2024-5805)
  • An improper authentication vulnerability in Progress MOVEit Transfer (SFTP module) may lead to authentication bypass in limited scenarios. (CVE-2024-5806)

Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication. An attacker could then view, modify or delete data, or create new accounts with full user rights.

RECOMMENDATIONS:

We recommend that the following actions be taken:

  • Apply appropriate updates provided by Progress to vulnerable systems immediately after appropriate testing. (M1051: Update software)
    • Safeguard 7.1: Establish and maintain a vulnerability management process: Establish and maintain a documented vulnerability management process for company assets. Review and update documentation annually or when significant business changes occur that could impact this protection.
    • Safeguard 7.4: Perform automated application patch management: Perform application updates on enterprise assets with automated patch management on a monthly or more frequent basis.
    • Backup 7.6: Perform automated vulnerability scans of externally exposed enterprise assets: Perform automated vulnerability scans of externally exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly or more frequent basis.
    • Backup 7.7: Fix detected vulnerabilities: Remediate vulnerabilities detected in software through processes and tools on a monthly or more frequent basis, depending on the remediation process.
  • Apply the principle of least privilege to all systems and services. Run all software as an unprivileged user (without administrative privileges) to lessen the effects of a successful attack. (M1026: Privileged account management)
    • Safeguard 4.7: Manage default accounts on enterprise assets and software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Examples of implementations may include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict administrator privileges to dedicated administrator accounts: Limit administrator privileges to dedicated administrator accounts on company assets. Perform general computing activities, such as browsing the Internet, email, and using the Productivity Suite, from the users' primary, non-privileged account.
  • Prevent access to file shares, remote access to unnecessary systems and services. Mechanisms to limit access may include the use of network hubs, RDP gateways, etc. (M1035:Limit access to resources on the network)
  • Use intrusion detection signatures to block traffic at network boundaries.M1031: Prevention of network intrusions)
    • Backup 13.3: Deploy a network intrusion detection solution: Deploy a network intrusion detection solution on enterprise assets, if applicable. Example implementations include using a network intrusion detection system (NIDS) or equivalent cloud service provider (CSP) service.
    • Safeguard 13.8: Deploy a network intrusion prevention solution: Deploy a network intrusion prevention solution, if applicable. Examples of implementation include using a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
  • Use features to detect and block conditions that may lead to or indicate the occurrence of a software exploit.M1050: Exploit protection)
    • Backup 13.10: Performing Application Layer Filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News

CISA publishes seven advice on industrial control systemsCISA publishes seven advice on industrial control systems

CISA publishes seven advice on industrial control systems

July 1, 2025
Several vulnerabilities in Citrix products could allow the disclosure of sensitive dataSeveral vulnerabilities in Citrix products could allow the disclosure of sensitive data

Several vulnerabilities in Citrix products could allow the disclosure of sensitive data

June 27, 2025

You may have missed

CISA publishes seven advice on industrial control systemsCISA publishes seven advice on industrial control systems

CISA publishes seven advice on industrial control systems

July 1, 2025
Several vulnerabilities in Citrix products could allow the disclosure of sensitive dataSeveral vulnerabilities in Citrix products could allow the disclosure of sensitive data

Several vulnerabilities in Citrix products could allow the disclosure of sensitive data

June 27, 2025
CISA publishes five advice from industrial control systemsCISA publishes five advice from industrial control systems

CISA publishes five advice from industrial control systems

June 17, 2025
Ransomware actors use unrefined surveillance and remote management to compromise the provider of public services billing softwareRansomware actors use unrefined surveillance and remote management to compromise the provider of public services billing software

Ransomware actors use unrefined surveillance and remote management to compromise the provider of public services billing software

June 12, 2025
Several vulnerabilities in Adobe products could allow an arbitrary code executionSeveral vulnerabilities in Adobe products could allow an arbitrary code execution

Several vulnerabilities in Adobe products could allow an arbitrary code execution

June 10, 2025
Cisa publishes four reviews of industrial control systemsCisa publishes four reviews of industrial control systems

Cisa publishes four reviews of industrial control systems

June 10, 2025