Progress Software has issued an advisory for a critical zero-day SQL Injection vulnerability in their MOVEit Transfer Solution. This vulnerability, initially disclosed on May 31, 2023, was assigned a CVE ID a few days later and is now tracked as CVE-2023-34362. It has received the maximum CVSS score of 10 out of 10, indicating its high severity. According to the advisory, this SQL Injection vulnerability could permit attackers to gain unauthorized access to the database of the MOVEit Transfer web application. Progress Software has issued a warning about the active exploitation of this vulnerability by the Cl0p ransomware gang. Microsoft linked the Cl0p ransomware group, associated with data-theft attacks on MOVEit, which can result in the theft or deletion of files or the encryption of files with a ransom demand attached. It is critical for MOVEit Transfer users to promptly update their systems to safeguard against this threat.
In this post, we’ll delve into what a zero-day vulnerability is, how to fix CVE-2023-34362, a critical zero-day SQL Injection vulnerability in the MOVEit Transfer Solution, and how to mitigate this serious issue.
A “Zero-Day” is a term used to describe a software vulnerability that is found by malicious actors before the software vendor becomes aware of it. Because the vendor doesn’t yet know about the issue, there’s no available patch to fix the vulnerability, making it more likely that an attack exploiting this vulnerability will succeed.
In this particular scenario, the vulnerability, labeled CVE-2023-34362, was initially discovered as a zero-day vulnerability. However, a patch to fix this vulnerability has been recently released for the impacted software.
MOVEit Transfer, formerly known as Ipswitch MOVEit, is a comprehensive solution for secure file transfer. It is designed by Progress Software Corporation to ensure safe, reliable, and compliant transfers of sensitive data across networks. MOVEit Transfer offers both manual and automated file-transferring capabilities, and it supports a wide variety of security protocols to safeguard data during transit and at rest.
The solution is known for its robust security measures, including encryption, activity logging, and compliance with a variety of regulatory standards such as HIPAA, PCI, and GDPR. Furthermore, MOVEit Transfer provides versatile management features, enabling users to control and monitor all file transfer activities.
In addition to its high-level security and control, MOVEit Transfer also provides convenience and efficiency. It offers a user-friendly interface and is capable of integrating with a variety of systems and services, making it a flexible choice for businesses of all sizes and industries.
Vendor: Progress Software
Product: MOVEit Transfer Solution
Vulnerability Type: SQL Injection Vulnerability
Base Score: 10 Critical
Vector: CVSS:3.1/AV:N/AC:L/Au:N/C:C/I:C/A:C
CVE-2023-34362 is a vulnerability found in the MOVEit Transfer web application. It relates to a SQL injection issue that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database. This could occur in versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1).
The type of database engine being used (MySQL, Microsoft SQL Server, or Azure SQL) could influence the potential impact of the attack. An attacker might be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.
This vulnerability was reportedly exploited by the threat actor group known as Lace Tempest, linked to Cl0p ransomware in the wild in May and June 2023. Unpatched systems can be exploited via either HTTP or HTTPS. All versions, including older unsupported ones, before the five explicitly mentioned versions are also affected.
As per the research conducted by Rapid7, multiple web shells were observed in the same name, which indicates this can be an automated attack. Based on the observations made, the behavior of the adversary seems to be more opportunistic rather than specifically targeted. The consistent nature of the evidence we have encountered suggests that a single threat actor may be indiscriminately deploying a single exploit against vulnerable targets.
The threat actors are utilizing a recently discovered LEMURLOOT web shell that is disguised as human.aspx, a legitimate component of the MOVEit Transfer software.
LEMURLOOT is equipped with features specifically designed to operate on a system running MOVEit Transfer software. These functionalities include generating commands to gather information about files and directories, retrieving configuration details, as well as creating or removing a user with a pre-set name.
Preliminary analysis indicates that the LEMURLOOT web shell is being utilized to extract data that was previously uploaded by users of individual MOVEit Transfer systems.
As per the analysis by Mandiant has knowledge of numerous instances where significant quantities of files have been unlawfully obtained from the MOVEit transfer systems of victims. LEMURLOOT has the capability to pilfer Azure Storage Blob details, including credentials, from the application settings of MOVEit Transfer. This implies that threat actors exploiting this vulnerability may be pilfering files from Azure in situations where victims have stored appliance data in Azure Blob storage, although it remains uncertain if the theft is restricted solely to data stored in this manner.
All versions of MOVEit Transfer prior to the May 31, 2023 patch are vulnerable to this exploit. Remediation measures include updating to the patched version of the software, setting firewall rules to deny HTTP and HTTPS traffic to MOVEit Transfer on ports 80 and 443 until the patch is applied, and checking for indicators of compromise dating back at least a month.
Affected Version | Fixed Version | Documentation |
MOVEit Transfer 2023.0.0 (15.0) | MOVEit Transfer 2023.0.1 | MOVEit 2023 Upgrade Documentation |
MOVEit Transfer 2022.1.x (14.1) | MOVEit Transfer 2022.1.5 | MOVEit 2022 Upgrade Documentation |
MOVEit Transfer 2022.0.x (14.0) | MOVEit Transfer 2022.0.4 | |
MOVEit Transfer 2021.1.x (13.1) | MOVEit Transfer 2021.1.4 | MOVEit 2021 Upgrade Documentation |
MOVEit Transfer 2021.0.x (13.0) | MOVEit Transfer 2021.0.6 | |
MOVEit Transfer 2020.1.x (12.1) | Special Patch Available | See KB 000234559 |
MOVEit Transfer 2020.0.x (12.0) or older | MUST upgrade to a supported version | See MOVEit Transfer Upgrade and Migration Guide |
MOVEit Cloud | MOVEit Transfer 14.1.4.94 | All MOVEit Cloud systems are fully patched at this time. |
MOVEit Transfer 14.0.3.42 | Cloud Status Page |
Table 1: Affected Versions (Source: Progress)
Progress Software responded to this critical 0-day SQL Injection vulnerability by releasing the patches. Please refer to the table from the above section to get the affected and corresponding fixed versions with links to documentation. Since patches are available, we recommend updating the patches as soon as possible to fix the CVE-2023-34362 vulnerability.
The vendor released a few mitigation steps on top of the patches.
As mentioned above, attackers utilize HTTP and HTTPS traffic, hence disabling all HTTP and HTTPS communication to the MOVEit application.
Modify rules on the firewall to deny communication to MOVEit on ports 80 and 443
FTP and SFTP will still work as normal and can be accessed by admins via RDP
Unauthorized files and user accounts should be deleted, and It is recommended to reset the credentials for the affected systems and the MOVEit Service Account.
Delete any files with the prefix “human2.aspx” and any “.cmdline” script files.
Check the “C:\MOVEitTransfer\wwwroot” directory on the MOVEit Transfer server for any newly created files.
Check the “C:\Windows\TEMP[random]” directory on the MOVEit Transfer server for new files with a “.cmdline” file extension.
Look for new “APP_WEB_[random].dll” files in the “C:\Windows\Microsoft.NET\Framework64[version]\Temporary ASP.NET Files\root[random][random]” directory on the MOVEit Transfer server.
Stop IIS by running the command “iisreset /stop”.
Delete all “APP_WEB_[random].dll” files in the “C:\Windows\Microsoft.NET\Framework64[version]\Temporary ASP.NET Files\root[random][random]” directory.
Start IIS by running the command “iisreset /start”. Note that the web application will rebuild these files properly upon the next access, and it is normal to have at least one “APP_WEB_[random].dll” file in this directory.
Remove any unauthorized user accounts, referring to the Progress MOVEit Users Documentation for guidance.
Review logs for unexpected downloads of files from unknown IPs or a large number of file downloads. Refer to the MOVEit Transfer Logs guide for more information on log review.
The full updated IOC file is available on the official page of the progress community.
5.252.191.0/24
148.113.152.144
138.197.152.201
209.97.137.33
89.39.105.108
As per the recent tweet from Microsoft, the attack is attributed to Lace Tempest and the Clop ransomware gang. This is suspected because the method used by the ransomware gang is similar to the ongoing attack. It is also recommended to update firewall rules and harden security policies for better security.
We hope this post helped you know how to fix CVE-2023-34362, critical 0-day SQL Injection vulnerabilities in MOVEit Transfer Solution. Please share this post if you find this interested. Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
You may also like these articles:
How to Fix CVE-2023-35708- A Critical SQL Injection Vulnerability in MOVEit Transfer Solution?
How to Fix CVE-2023-36934- A Critical SQL Injection Vulnerability in MOVEit Transfer Solution?
How To Fix CVE-2022-24086- A Critical 0-Day Arbitrary Code Execution Vulnerability In Magento
CVE-2022-0513- Fix The Critical SQL Injection Vulnerability In WP Statistics WordPress Plugin
Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.