How to Fix CVE-2023-34362- A Critical 0-Day SQL Injection Vulnerability in MOVEit Transfer Solution?

Progress Software has issued an advisory for a critical zero-day SQL Injection vulnerability in their MOVEit Transfer Solution. This vulnerability, initially disclosed on May 31, 2023, was assigned a CVE ID a few days later and is now tracked as CVE-2023-34362. It has received the maximum CVSS score of 10 out of 10, indicating its high severity. According to the advisory, this SQL Injection vulnerability could permit attackers to gain unauthorized access to the database of the MOVEit Transfer web application. Progress Software has issued a warning about the active exploitation of this vulnerability by the Cl0p ransomware gang. Microsoft linked the Cl0p ransomware group, associated with data-theft attacks on MOVEit, which can result in the theft or deletion of files or the encryption of files with a ransom demand attached. It is critical for MOVEit Transfer users to promptly update their systems to safeguard against this threat.

In this post, we’ll delve into what a zero-day vulnerability is, how to fix CVE-2023-34362, a critical zero-day SQL Injection vulnerability in the MOVEit Transfer Solution, and how to mitigate this serious issue.

What Is a Zero-Day?

A “Zero-Day” is a term used to describe a software vulnerability that is found by malicious actors before the software vendor becomes aware of it. Because the vendor doesn’t yet know about the issue, there’s no available patch to fix the vulnerability, making it more likely that an attack exploiting this vulnerability will succeed.

In this particular scenario, the vulnerability, labeled CVE-2023-34362, was initially discovered as a zero-day vulnerability. However, a patch to fix this vulnerability has been recently released for the impacted software.

A Short Introduction About MOVEit Transfer Solution

MOVEit Transfer, formerly known as Ipswitch MOVEit, is a comprehensive solution for secure file transfer. It is designed by Progress Software Corporation to ensure safe, reliable, and compliant transfers of sensitive data across networks. MOVEit Transfer offers both manual and automated file-transferring capabilities, and it supports a wide variety of security protocols to safeguard data during transit and at rest.

The solution is known for its robust security measures, including encryption, activity logging, and compliance with a variety of regulatory standards such as HIPAA, PCI, and GDPR. Furthermore, MOVEit Transfer provides versatile management features, enabling users to control and monitor all file transfer activities.

In addition to its high-level security and control, MOVEit Transfer also provides convenience and efficiency. It offers a user-friendly interface and is capable of integrating with a variety of systems and services, making it a flexible choice for businesses of all sizes and industries.

Summary of CVE-2023-34362

CVE-2023-34362 is a vulnerability found in the MOVEit Transfer web application. It relates to a SQL injection issue that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database. This could occur in versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1).

The type of database engine being used (MySQL, Microsoft SQL Server, or Azure SQL) could influence the potential impact of the attack. An attacker might be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.

This vulnerability was reportedly exploited by the threat actor group known as Lace Tempest, linked to Cl0p ransomware in the wild in May and June 2023. Unpatched systems can be exploited via either HTTP or HTTPS. All versions, including older unsupported ones, before the five explicitly mentioned versions are also affected.

Attacker Behavior – Technical Details

As per the research conducted by Rapid7, multiple web shells were observed in the same name, which indicates this can be an automated attack. Based on the observations made, the behavior of the adversary seems to be more opportunistic rather than specifically targeted. The consistent nature of the evidence we have encountered suggests that a single threat actor may be indiscriminately deploying a single exploit against vulnerable targets.

The threat actors are utilizing a recently discovered LEMURLOOT web shell that is disguised as human.aspx, a legitimate component of the MOVEit Transfer software.

LEMURLOOT is equipped with features specifically designed to operate on a system running MOVEit Transfer software. These functionalities include generating commands to gather information about files and directories, retrieving configuration details, as well as creating or removing a user with a pre-set name.

Preliminary analysis indicates that the LEMURLOOT web shell is being utilized to extract data that was previously uploaded by users of individual MOVEit Transfer systems.

As per the analysis by Mandiant has knowledge of numerous instances where significant quantities of files have been unlawfully obtained from the MOVEit transfer systems of victims. LEMURLOOT has the capability to pilfer Azure Storage Blob details, including credentials, from the application settings of MOVEit Transfer. This implies that threat actors exploiting this vulnerability may be pilfering files from Azure in situations where victims have stored appliance data in Azure Blob storage, although it remains uncertain if the theft is restricted solely to data stored in this manner.

Product Affected by CVE-2023-34362

All versions of MOVEit Transfer prior to the May 31, 2023 patch are vulnerable to this exploit. Remediation measures include updating to the patched version of the software, setting firewall rules to deny HTTP and HTTPS traffic to MOVEit Transfer on ports 80 and 443 until the patch is applied, and checking for indicators of compromise dating back at least a month.

Table 1: Affected Versions (Source: Progress)

How to Fix CVE-2023-34362- A Critical 0-Day SQL Injection Vulnerability in MOVEit Transfer Solution?

Progress Software responded to this critical 0-day SQL Injection vulnerability by releasing the patches. Please refer to the table from the above section to get the affected and corresponding fixed versions with links to documentation. Since patches are available, we recommend updating the patches as soon as possible to fix the CVE-2023-34362 vulnerability.

The vendor released a few mitigation steps on top of the patches.

IOCs

The full updated IOC file is available on the official page of the progress community.

Conclusion

As per the recent tweet from Microsoft, the attack is attributed to Lace Tempest and the Clop ransomware gang. This is suspected because the method used by the ransomware gang is similar to the ongoing attack. It is also recommended to update firewall rules and harden security policies for better security.

We hope this post helped you know how to fix CVE-2023-34362, critical 0-day SQL Injection vulnerabilities in MOVEit Transfer Solution. Please share this post if you find this interested. Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.