Want relief keeping up with product patching, upgrades, and more? Learn how our Managed Services for law firms can help you.
June 15, 2023
If you have been watching the vulnerability space, you know by now about the MOVEit utility security issues. Just today, the news is breaking that several US government agencies have been affected.
We are strongly encouraging everyone to remediate this risk.
Information and Instructions can be found below.
Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment, while our team produces a patch.
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer’s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS.
All MOVEit Transfer versions are affected by this vulnerability. See the table below for the security patch for each supported version. Customers on unsupported versions should upgrade to one of the supported fixed versions below.
Based on our review of this situation to date, the following products are not susceptible to this SQL Injection Vulnerability in MOVEit Transfer: MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics, and MOVEit Freely
. At this time, no action is necessary for the above-mentioned products.
To help prevent successful exploitation of the mentioned SQLi vulnerability to your MOVEit Transfer environment, we strongly recommend that you immediately apply the following mitigation measures per the steps below.
More specifically, modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.
It is important to note, that until HTTP and HTTPS traffic is enabled again:
Please note: SFTP and FTP/s protocols will continue to work as normal
Administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/. For more information on localhost connections, please refer to MOVEit Transfer Help.
2. Review, Delete and Reset
a. Delete Unauthorized Files and User Accounts
i. Delete any instances of the human2.aspx and .cmdline script files.
ii. On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.
iii. On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline
iv. Remove any unauthorized user accounts. See Progress MOVEit Users Documentation article.
v. Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded. For more information on reviewing logs, please refer to MOVEit Transfer Logs guide.
vi. Review IIS logs for any events including GET /human2.aspx. Large numbers of log entries or entries with large data sizes may indicate unexpected file downloads
vii. If applicable, review Azure logs for unauthorized access to Azure Blob Storage Keys and consider rotating any potentially affected keys.
b. Reset Credentials
i. Reset service account credentials for affected systems and MOVEit Service Account. See KB 000115941.
3. Apply the Patch
Patches for all supported MOVEit Transfer versions are available below. Supported versions are listed at the following link: https://community.progress.com/s/products/moveit/product-lifecycle. Please note, the license file can remain the same to apply the patch.
Affected Version | Fixed Version | Documentation |
MOVEit Transfer 2023.0.0 (15.0) | MOVEit Transfer 2023.0.1 | MOVEit 2023 Upgrade Documentation |
MOVEit Transfer 2022.1.x (14.1) | MOVEit Transfer 2022.1.5 | MOVEit 2022 Upgrade Documentation |
MOVEit Transfer 2022.0.x (14.0) | MOVEit Transfer 2022.0.4 | |
MOVEit Transfer 2021.1.x (13.1) | MOVEit Transfer 2021.1.4 | MOVEit 2021 Upgrade Documentation |
MOVEit Transfer 2021.0.x (13.0) | MOVEit Transfer 2021.0.6 | |
MOVEit Transfer 2020.1.x (12.1) | Special Patch Available | See KB 000234559 |
MOVEit Transfer 2020.0.x (12.0) or older | MUST upgrade to a supported version | See MOVEit Transfer Upgrade and Migration Guide |
MOVEit Cloud | MOVEit Transfer 14.1.4.94 MOVEit Transfer 14.0.3.42 | All MOVEit Cloud systems are fully patched at this time. Cloud Status Page |
4. Verification
a. To confirm the files have been successfully deleted and no unauthorized accounts remain, follow steps 2A again. If you do find indicators of compromise, you should reset the service account credentials again.
5. Enable all HTTP and HTTPs traffic to your MOVEit Transfer environment
6. Continuous Monitoring
a. Monitor network, endpoints, and logs for IoCs (Indicators of Compromise) as listed in the table below.
If you are unable to follow the recommended mitigation steps above, we strongly suggest taking the below security steps to help reduce risk to your MOVEit Transfer environment from unauthorized access. It’s important to note, these are not considered mitigation steps to the mentioned vulnerability.
Please see here for MOVEit Security Best Practices.
See file attachment cve-2023-34362.csv
If you do notice any of the indicators noted above, please immediately contact your security and IT teams and open a ticket with Progress Technical Support at: https://community.progress.com/s/supportlink-landing
.