This advisory is for organizations that use MOVEit Transfer by Progress (formerly ipswitch). If your organization does not use this service, this notification may be discarded.
MOVEit Transfer is an application designed to move data securely across the enterprise while integrating advanced security features and encryption.
Summary
On 6/15/23, Progress released details on a critical SQL injection vulnerability in MOVEit Transfer that an attacker may leverage to obtain privilege escalation and unauthorized access to the organizational environment. Progress has taken HTTPS traffic down for MOVEit Cloud in response to this new vulnerability and is urging customers to immediately take down their HTTP and HTTPS traffic to protect their environments until they complete testing on the upcoming patch and release it. No CVE or CVSSv3 score has been assigned yet.
https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability
Note: this is separate from the vulnerability announced by Progess on 6/9/2023 which was another SQL injection vulnerability assigned CVE 2023-35036. This has not been assigned a CVSSv3 score yet but is considered to be a critical vulnerability which has been purported to already have been leveraged by CL0P in ransomware and data theft attacks. https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-2023-35036-June-9-2023
Note: another separate vulnerability assigned CVE 2023-34362 was announced of 5/31/2023 and is also a SQL injection vulnerability and has been assigned a rating CVSSv3 9.8. https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 This vulnerability has been leveraged by CL0P and potentially other groups to support remote attacks against organizations.
Mitigation
Progress strongly recommends that customers disable all HTTP and HTTPS traffic to your MOVEit Transfer environment. In all three vulnerability announcements, Progress provided the following remediation steps.
- Modify firewall rules to deny HTTP and HTTPS traffic to MOVEit Transfer (TCP ports 80/443)
- It is understood that this will render users unable to logon to the MOVEit Transfer web UI
- MOVEit Automation tasks that use the native MOVEit Transfer host will not work
- REST, Java and .NET APIs will not work
- SFTP and FTP/s protocol will continue to work as normal
- Continue to follow the supplied articles above to track available patches and specific remediation steps.
Additional Resources
Downloadable CSV file with Indicators of Compromise provided by Progress for CVE 2023-34362: https://community.progress.com/s/contentdocument/0694Q00000PoJAOQA3
Progress Situation Blog for CVE 2023-34362 and CVE 2023-35036: https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability
Article on newest MOVEit vulnerability: https://www.bleepingcomputer.com/news/security/moveit-transfer-customers-warned-of-new-flaw-as-poc-info-surfaces/
Joint CISA/FBI Notification on CVE 2023-34362: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a
