Update – June 15:
On June 15, 2023, Progress released a security advisory detailing a newly discovered SQL injection vulnerability impacting the MOVEit Transfer web application and Cloud. The vulnerability is distinct from CVE-2023-34362, which was actively exploited by Cl0p Ransomware to exfiltrate data and extort compromised organizations, and CVE-2023-35036 reported on June 9, 2023. Although distinct, the vulnerability results in nearly identical unauthorized access where threat actors could modify or disclose MOVEit database content.
The vulnerability currently does not have a CVE number assigned. Notably, the vulnerability was disclosed publicly, and a security patch is not available, however, no active exploitation has been observed at this time. Progress stated they are currently testing patches and will provide updates shortly.
Note: Progress has taken all HTTPs traffic down for MOVEit Cloud due to this newly reported vulnerability.
For additional information surrounding prior MOVEit Transfer vulnerabilities and Arctic Wolf actions surrounding the vulnerability, refer to the Security Bulletins:
- Actively Exploited Zero-Day Vulnerability: MOVEit Transfer
- New Vulnerabilities Similar to CVE-2023-34362 Identified in MOVEit Transfer and MOVEit Cloud – See below
Recommendation
Disable all HTTP and HTTPs Traffic to MOVEit Transfer Environment
Until Progress releases a security patch for this vulnerability, we strongly recommend following Progress’ mitigation steps to prevent unauthorized access to your MOVEit Transfer environment. Progress recommends disabling all HTTP and HTTPs traffic to your MOVEit environment, specifically:
- Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443.
Progress has taken all HTTPs traffic down for MOVEit Cloud due to this newly reported vulnerability.
Note: Users will not be able to log on to the MOVEit Transfer web UI, administrators will be able to access MOVEit Transfer by using remote desktop to access the Windows machine and then by accessing https://localhost/; MOVEit Automation tasks that use the native MOVEit Transfer host will not work, as well as REST, Java and .NET APIs, and MOVEit Transfer add-in for Outlook.
SFTP and FTP/s protocols will continue to work as normal. However, we recommend not leveraging FTP due to files being transferred unencrypted.
References
Original Post – June 12
On June 9, 2023, Progress released a security advisory detailing newly discovered SQL injection vulnerabilities impacting the MOVEit Transfer web application and Cloud. The vulnerabilities are distinct from CVE-2023-34362, which was actively exploited by Cl0p Ransomware to exfiltrate data and extort compromised organizations. Although distinct, the vulnerabilities result in nearly identical unauthorized access where threat actors could modify or disclose MOVEit database content.
All MOVEit Transfer versions are impacted by these vulnerabilities, including End-of-Life (EOL) versions under MOVEit Transfer (DMZ).
NOTE: MOVEit Cloud is also impacted by these vulnerabilities; however, Progress has tested and deployed a patch to all MOVEit Cloud clusters to remediate them.
For additional information surrounding CVE-2023-34362 and Arctic Wolf actions surrounding the vulnerability, refer to the Security Bulletins:
Recommendations
If your organization has not applied security patches for CVE-2023-34362, we strongly recommend following the remediation guidance provided in the MOVEit Transfer Critical Vulnerability (May 2023) article here: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
If up to date, apply the patches outlined in the table below to remediate the newly discovered vulnerabilities.
Recommendation: Apply the Latest Security Patches Released by Progress
Progress has provided two methods to remediate the newly discovered vulnerabilities to minimize disruptions to operational environments.
Applying the DLL drop-in could reduce operational interruptions to the application during an upgrade compared to a full installer.
NOTE: To apply the DLL drop-in, your organization must have the required listed version installed first.
DLL Drop-in | ||
Affected Version | Fixed Version | Documentation |
MOVEit Transfer 2023.0.1 | MOVEit Transfer 2023.0.2 | See the README.txt file in the *.zip file |
MOVEit Transfer 2022.1.5 | MOVEit Transfer 2022.1.6 | See the README.txt file in the *.zip file |
MOVEit Transfer 2022.0.4 | MOVEit Transfer 2022.0.5 | |
MOVEit Transfer 2021.14 | MOVEit Transfer 2021.1.5 | See the README.txt file in the *.zip file |
MOVEit Transfer 2021.0.6 | MOVEit Transfer 2021.0.7 | |
MOVEit Transfer 2020.1.6 or later | MOVEit Transfer 2020.1.9 | See the README.txt file in the *.zip file |
MOVEit Transfer 2020.0.x or older | MUST upgrade to a supported version | See MOVEit Transfer Upgrade and Migration Guide |
Full Installer | ||
Affected Version | Fixed Version | Documentation |
MOVEit Transfer 2023.0.x | MOVEit Transfer 2023.0.2 | MOVEit 2023 Upgrade Documentation |
MOVEit Transfer 2022.1.x | MOVEit Transfer 2022.1.6 | MOVEit 2022 Upgrade Documentation |
MOVEit Transfer 2022.0.x | MOVEit Transfer 2022.0.5 | |
MOVEit Transfer 2021.1.x | MOVEit Transfer 2021.1.5 | MOVEit 2021 Upgrade Documentation |
MOVEit Transfer 2021.0.x | MOVEit Transfer 2021.0.7 | |
MOVEit Transfer 2020.1.x | Special Patch Available | See KB Vulnerability (May 2023) Fix for MOVEit Transfer 2020.1 (12.1) |
MOVEit Transfer 2020.0.x or older | MUST upgrade to a supported version | See MOVEit Transfer Upgrade and Migration Guide |
MOVEit Cloud |
Prod: 14.1.6.97 or 14.0.5.45 Test: 15.0.2.39 |
All MOVEit Cloud systems are fully patched at this time. |
Please follow your organization’s patching and testing guidelines to avoid any operational impact.