December 26, 2024

HURRY UP AND MOVEIT — Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk A similar flaw last year left 1,800 networks breached. Will the latest one be as potent?

Dan Goodin – Jun 26, 2024 11:31 pm UTC Enlarge reader comments 41

A critical vulnerability recently discovered in a widely used piece of software is putting huge swaths of the Internet at risk of devastating hacks, and attackers have already begun actively trying to exploit it in real-world attacks, researchers warn.

The software, known as MOVEit and sold by Progress Software, allows enterprises to transfer and manage files using various specifications, including SFTP, SCP, and HTTP protocols and in ways that comply with regulations mandated under PCI and HIPAA. At the time this post went live, Internet scans indicated it was installed inside almost 1,800 networks around the world, with the biggest number in the US. A separate scan performed Tuesday by security firm Censys found 2,700 such instances. Causing mayhem with a null string

Further ReadingMass exploitation of critical MOVEit flaw is ransacking orgs big and smallLast year, a critical MOVEit vulnerability led to the compromise of more than 2,300 organizations, including Shell, British Airways, the US Department of Energy, and Ontarios government birth registry, BORN Ontario, the latter of which led to the compromise of information for 3.4 million people.

On Tuesday, Progress Software disclosed CVE-2024-5806, a vulnerability that enables attackers to bypass authentication and gain access to sensitive data. The vulnerability, found in the MOVEit SFTP module, carries a severity rating of 9.1 out of 10. Within hours of the vulnerability becoming publicly known, hackers were already attempting to exploit it, researchers from the Shadowserver organization said.

A deep-dive technical analysis by researchers with the offensive security firm watchTowr Labs said that the vulnerability, found in the MOVEit SFTP module, can be exploited in at least two attack scenarios. The most powerful attack allows hackers to use a null stringa programming concept for no valueas a public encryption key during the authentication process. As a result, the hacker can log in as an existing trusted user. Advertisement

This is a devastating attack, watchTowr Labs researchers wrote. It allows anyone who is able to place a public key on the server to assume the identity of any SFTP user at all. From here, this user can do all the usual operationsread, write, or delete files, or otherwise cause mayhem.

A separate attack described by the watchTowr researchers allows attackers to obtain cryptographic hashes masking user passwords. It works by manipulating SSH public key paths to execute a forced authentication using a malicious SMB server and a valid username. The technique will expose the cryptographic hash masking the user password. The hash, in turn, must be cracked.

The researchers said that the requirements of uploading a public key to a vulnerable server isnt a particularly high hurdle for attackers to clear, because the entire purpose of MOVEit is to transfer files. Its also not especially hard to learn or guess the names of user accounts of a system. The watchTowr post also noted that their exploits use IPWorks SSH, a commercial product Progress Software extends in MOVEit.

The Progress Software advisory said: A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue mentioned above if left unpatched. While the patch distributed by Progress on June 11th successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk.

The post advised customers to ensure inbound RDP access to MOVEit servers is blocked and to restrict outbound access to known trusted endpoints from MOVEit servers. A company representative declined to say if that component was IPWorks SSH.

The vulnerability affects MOVEit Transfer versions: 2023.0.0 before 2023.0.11 2023.1.0 before 2023.1.6 2024.0.0 before 2024.0.2

Fixes for 2023.0.11, 2023.1.6, and 2024.0.2 are available here, here, and here, respectively. MOVEit users can check the version theyre running using this link.

Given the damage resulting from the mass exploitation of last years MOVEit vulnerability, its likely this latest one could follow a similar path. Affected admins should prioritize investigating if theyre vulnerable ASAP and respond appropriately. Additional analysis and guidance is available here and here. reader comments 41 Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars