3rd Party Risk Management , Governance & Risk Management , Patch Management
Hackers Quick to Exploit MOVEit Authentication Flaw
Progress Software: 'Newly Disclosed Third-Party Vulnerability Introduces New Risk'Hackers jumped on a new flaw in Progress Software's MOVEit managed file transfer application just hours after maker Progress Software publicly disclosed the critical flaw, which allows attackers to bypass authentication.
The company also disclosed a similar flaw in its Gateway proxy service meant to restrict public internet access to the transfer application.
Customers of the Massachusetts company are no strangers to emergency patching after their May 2023 experience of a mass attack on the transfer software led by Russian-speaking ransomware group Clop, which exploited a zero-day over the Memorial Day weekend (see: Known MOVEit Attack Victim Count Reaches 2,618 Organizations).
Progress Software said Tuesday it distributed on June 11 a patch for an application bypass vulnerability in the file transfer app tracked as CVE-2024-5806.
But a "newly disclosed third-party vulnerability introduces new risk," it said.
The company urged customers to block inbound remote desktop protocol access to MOVEit servers and limit outbound connection to known, trusted endpoints.
In a Thursday emailed response to this article, Progress Software spokesperson Danielle Sutherby said the company has "not received any reports that these vulnerabilities have been exploited and we are not aware of any direct operational impact to customers."*
Cybersecurity company watchTowr said in a blog post that the third-party flaw resides in IPWorks SSH, which Progress Software uses for key pair authentication, supplemented by extra company-made functionality.
The North Carolina maker of IPWorks SSH, a company called /n software, said it has already rolled out a patch. "The scope of the vulnerability is dependent on how developers use the component, and we expect it to be limited," said n/ software CEO Gent Hito in an email. "It's worth noting that the security researchers notified us just 24 hours before release on Monday, while they had known and worked on this for weeks - which is regrettable."
Researchers at watchTowr said the attack scenario requires a hacker to trick the MOVEit Transfer logging system into storing one half of an authentication key pair, which it automatically would do by recording a public key as a supposed username used in a failed logon attempt. With the public key stored within the MOVEit system, an attacker could use a valid username and the attacker-controlled private key matched to the public key to gain access.
"This is a devastating attack - it allows anyone who is able to place a public key on the server to assume the identity of any SFTP user at all. From here, this user can do all the usual operations - read, write, or deleting files, or otherwise cause mayhem," said the researchers, referring to the secure FTP module within the MOVEit file transfer system.
One consolation is that any attack following watchTowr's scenario "is necessarily quite noisy in terms of log entries," the company said. MOVEit system administrators who implemented IP whitelisting for logins will have another layer of security, it added.
Security firm Censys said on Tuesday that at least 2,700 MOVEit Transfer instances are online, mainly in the United States. The Shadowserver Foundation found about 1,770 internet-exposed MOVEit Transfer instances. It said that hackers launched attempts to exploit the flaw "very shortly" after the vulnerability became public knowledge.
The German Federal Office for Information Security urged MOVEit users to patch immediately.
Progress Software's other authentication bypass flaw - the one in its Gateway product - has garnered less attention. Tracked as CVE-2024-5805 Progress Software says it's also critical - but only affects version 2024.0.0. MOVEit Gateway is an optional add-on proxy service that system administrators can deploy into a company's network demilitarized zone to ensure that Transfer isn't exposed to the public internet.
*Updated June 27, 2024, 19:53 UTC: Adds comments from Progress Software spokesperson.