Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk

A critical vulnerability recently discovered in a widely used piece of software is putting huge swaths of the Internet at risk of devastating hacks, and attackers have already begun actively trying to exploit it in real-world attacks, researchers warn.

The software, known as MOVEit and sold by Progress Software, allows enterprises to transfer and manage files using various specifications, including SFTP, SCP, and HTTP protocols and in ways that comply with regulations mandated under PCI and HIPAA. At the time this post went live, Internet scans indicated it was installed inside almost 1,800 networks around the world, with the biggest number in the US. A separate scan performed Tuesday by security firm Censys found 2,700 such instances.

Causing mayhem with a null string

Last year, a critical MOVEit vulnerability led to the compromise of more than 2,300 organizations, including Shell, British Airways, the US Department of Energy, and Ontario’s government birth registry, BORN Ontario, the latter of which led to the compromise of information for 3.4 million people.

On Tuesday, Progress Software disclosed CVE-2024-5806, a vulnerability that enables attackers to bypass authentication and gain access to sensitive data. The vulnerability, found in the MOVEit SFTP module, carries a severity rating of 9.1 out of 10. Within hours of the vulnerability becoming publicly known, hackers were already attempting to exploit it, researchers from the Shadowserver organization said.

A deep-dive technical analysis by researchers with the offensive security firm watchTowr Labs said that the vulnerability, found in the MOVEit SFTP module, can be exploited in at least two attack scenarios. The most powerful attack allows hackers to use a null string—a programming concept for no value—as a public encryption key during the authentication process. As a result, the hacker can log in as an existing trusted user.

“This is a devastating attack,” watchTowr Labs researchers wrote. “It allows anyone who is able to place a public key on the server to assume the identity of any SFTP user at all. From here, this user can do all the usual operations—read, write, or delete files, or otherwise cause mayhem.”

A separate attack described by the watchTowr researchers allows attackers to obtain cryptographic hashes masking user passwords. It works by manipulating SSH public key paths to execute a “forced authentication” using a malicious SMB server and a valid username. The technique will expose the cryptographic hash masking the user password. The hash, in turn, must be cracked.

The researchers said that the requirements of uploading a public key to a vulnerable server isn’t a particularly high hurdle for attackers to clear, because the entire purpose of MOVEit is to transfer files. It’s also not especially hard to learn or guess the names of user accounts of a system. The watchTowr post also noted that their exploits use IPWorks SSH, a commercial product Progress Software extends in MOVEit.

The Progress Software advisory said: “A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue mentioned above if left unpatched. While the patch distributed by Progress on June 11th successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk.”

The post advised customers to ensure inbound RDP access to MOVEit servers is blocked and to restrict outbound access to known trusted endpoints from MOVEit servers. A company representative declined to say if that component was IPWorks SSH.

The vulnerability affects MOVEit Transfer versions:

  • 2023.0.0 before 2023.0.11
  • 2023.1.0 before 2023.1.6
  • 2024.0.0 before 2024.0.2

Fixes for 2023.0.11, 2023.1.6, and 2024.0.2 are available here, here, and here, respectively. MOVEit users can check the version they’re running using this link.

Given the damage resulting from the mass exploitation of last year’s MOVEit vulnerability, it’s likely this latest one could follow a similar path. Affected admins should prioritize investigating if they’re vulnerable ASAP and respond appropriately. Additional analysis and guidance is available here and here.

Leave a Reply

Your email address will not be published. Required fields are marked *