The developer of MOVEit Transfer, a web-based platform for managed and secure file transfer that has a cloud version as well as a locally hosted version, has issued new updates after a third-party security audit identified additional SQL injection vulnerabilities. Third-party cybersecurity experts were employed to conduct further detailed code reviews as an added layer of protection for customers. As part of these code reviews, cybersecurity firm Huntress helped to uncover additional vulnerabilities that could potentially be used by a bad actor to stage an exploit.
Progress Software, the developer, said in a blog post: “In addition to the ongoing investigation into vulnerability (CVE-2023-34362), we have partnered with third-party cybersecurity experts to conduct further detailed code reviews as an added layer of protection for our customers. The company deployed the patches to its cloud service already, but the privately hosted versions need to be patched individually.”
The new vulnerabilities are tracked under the CVE-2023-35036 identifier and are similar to the previous zero-day vulnerability that attackers have been exploiting since May. The flaws could allow unauthenticated attackers to gain access to the MOVEit Transfer database. The developers have warned that an attacker could submit a crafted payload to a MOVEit Transfer application endpoint, which could result in modification and disclosure of MOVEit database content.
Attackers exploited the previous vulnerability to insert new administrative accounts into the MOVEit database and then exfiltrate sensitive files information through the application itself by using a web shell. The attacker group behind the Clop ransomware took responsibility for the attacks exploiting the May CVE-2023-34362 vulnerability with the goal of extorting money from companies in exchange for deleting the stolen data. This cybercrime gang has exploited vulnerabilities in other managed file transfer solutions in the past, including Accellion File Transfer Appliance (FTA) devices in 2020 and 2021 and the Fortra/Linoma GoAnywhere MFT servers in early 2023. Security researchers found evidence that the attackers experimented with MOVEit Transfer exploits as early as July 2021.
All versions of MOVEit Transfer maintained by Progress Software are affected by the latest vulnerabilities. The company has deployed patches to its cloud service and recommends that its customers immediately install the new patches to their privately hosted versions.
Customers have two options for deploying the patches: either with the full installer, which will update the whole installation, or by copying a fixed DLL file. The DLL drop-in method is faster, but it requires the deployed application to already be updated to the previous version in the series. For example, the fixed DLL for the June 9 flaws will only work if customers have previously upgraded their installations with the patches for the May vulnerability. It’s also important for the old version of the DLL to be removed from the system and not be kept as a backup anywhere since it’s vulnerable if attackers can reach it.
MOVEit Transfer and other enterprise secure file transfer solutions are under attack, and all users are urged to install the latest patches before it is too late. The need to update their digital infrastructure is high as attackers become even more sophisticated in their methods. Companies must remain vigilant and be proactive in protecting their systems from cyber threats.
Progress Software said that they would continue to work with cybersecurity experts to ensure that their products’ security remains up-to-date in the ever-changing landscape of cybersecurity threats. In an age where cyber threats are a daily reality, this is a commitment that benefits not only their customers, but also the industry at large.