How to Fix CVE-2023-36934- A Critical SQL Injection Vulnerability in MOVEit Transfer Solution?

Progress Software has released a service pack that fixes three security vulnerabilities, including a critical zero-day SQL Injection vulnerability in their MOVEit Transfer Solution in July 2023 after the release of CVE-2023-34362 in June 2023. These vulnerabilities were tracked under the CVE IDs CVE-2023-36934, CVE-2023-36932, and CVE-2023-36933 are Critical and two High in severity vulnerabilities. According to the vendor, these vulnerabilities were disclosed after a series of cyberattacks targeted the CVE-2023-34362 vulnerability. CVSS scores are yet to provide. However, it is determined as a Critical vulnerability due to its exploitability nature. The critical flaw CVE-2023-36934 is capable of exploiting without logging in. This means attackers don’t need valid credentials to exploit the vulnerability. 

Progress Software has left a note that there are no traces of active exploitation in the wild. It is critical for MOVEit Transfer users to promptly update their systems to safeguard against these threats. In this post, we’ll delve into what is SQL Injection attack, how to fix CVE-2023-36934, a critical SQL Injection vulnerability in the MOVEit Transfer Solution, and how to mitigate these serious issues.

A Short Note About SQL-Injection Attacks

In general, SQL Injection is a code injection technique that attackers use to exploit vulnerabilities in a web application’s database query software. It’s a very serious security issue that can lead to unauthorized access to sensitive data, including customer information, personal details, proprietary company data, and more.

The concept of an SQL Injection attack is pretty straightforward: instead of using the input fields of a web application for their intended purpose, an attacker provides specially crafted input data that can manipulate the SQL queries running in the backend. If not properly secured, these manipulated queries can allow the attacker to view, modify, or delete data that they should not have access to.

For example, imagine a simple login form where a user provides a username and password. Normally, the server-side code would create an SQL query something like “SELECT * FROM Users WHERE Username=’inputted_username’ AND Password=’inputted_password'”. If an attacker enters something like” ‘OR ‘1’=’1′ “in the username field, the resulting query might look like “SELECT * FROM Users WHERE Username=” OR ‘1’=’1′ AND Password=’whatever'”. Since ‘1’=’1′ is always true, this query will return data regardless of what the correct username or password should be, potentially granting the attacker access to the system.

A Short Introduction About MOVEit Transfer Solution

MOVEit Transfer is a comprehensive Managed File Transfer (MFT) solution that allows organizations to securely transfer sensitive data between business partners, customers, and employees, while meeting compliance requirements.

Key Features of MOVEit Transfer:

List of Security Vulnerabilities Patched in July’s Service Packs

MOVEit has covered three security vulnerabilities in its July month Service Pack. One is determined as a Critical SQL Injection vulnerability, and well other two are concluded as High in severity. Let’s see the summary of all three vulnerabilities here in this section. 

Summary of CVE-2023-36934 (Severity: CRITICAL)

This is a critical SQL injection vulnerability discovered in the MOVEit Transfer web application, which was disclosed by Guy Lederfein of Trend Micro in collaboration with the Zero Day Initiative program. The vulnerability could potentially enable an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. It operates by allowing an attacker to submit a specially crafted payload to a MOVEit Transfer application endpoint, which could lead to unauthorized modification and disclosure of the MOVEit database content. This flaw affects versions of the application released before the following: 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4).

Summary of CVE-2023-36932 (Severity: HIGH)

This is a high-severity vulnerability found in MOVEit Transfer versions that were released before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4). The vulnerability, specifically, is a series of SQL injection weaknesses present in the MOVEit Transfer web application. These vulnerabilities could permit an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. By creating and submitting a carefully crafted payload to a MOVEit Transfer application endpoint, the attacker could potentially modify and disclose MOVEit database content. The discovery credit for these vulnerabilities goes to HackerOne’s cchav3z and Nicolas Zilio, who was working with CrowdStrike, along with hoangha2, hoangnx, and duongdpt (Q5Ca) associated with VCSLAB of Viettel Cyber Security.

Summary of CVE-2023-36933 (Severity: HIGH)

This is a high-severity vulnerability discovered in the MOVEit Transfer web application, which was disclosed by jameshorseman from Hackerone. This vulnerability provides an opportunity for an attacker to invoke a certain method leading to an unhandled exception. When exploited, this vulnerability can trigger a sequence that could abruptly terminate the MOVEit Transfer application. The flaw is vulnerable to MOVEit Transfer versions launched before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4).

MOVEit Transfer application Versions Vulnerable to CVE-2023-36934 and Other Two Vulnerabilities

How to Fix CVE-2023-36934- A Critical SQL Injection Vulnerability in MOVEit Transfer Solution?

As per the advisory from Progress Software, before you fix the CVE-2023-36934 vulnerability, you should be aware that the May patches (CVE-2023-34362) were applied. It is mandatory to apply the patches of CVE-2023-34362 to proceed. Here are the two potential paths to choose from:

The vendor recommends reading the README.txt file before attempting the DLL drop-in install. It’s important to entirely remove, not just rename, any old versions of these DLL files. When shutting down the MOVEit Transfer services (step 1), it’s also necessary to stop the IIS services (World Wide Web Publishing Services) to successfully replace the old DLLs. After the new files are copied into their respective destinations, both the MOVEit Transfer and IIS services should be restarted.

The table below provides information about affected versions and their corresponding fixes:

To implement the fix, please follow these steps:

Conclusion

In conclusion, the CVE-2023-36934 SQL injection vulnerability in the MOVEit Transfer solution could potentially allow unauthenticated attackers to gain unauthorized access to the database and run any code they want. This is a critical security flaw that needs to be addressed immediately.

Fortunately, there are steps that can be taken to fix this vulnerability. First, it is recommended to update to the latest version of MOVEit Transfer, which includes a security update addressing this vulnerability. Additionally, it is important to follow best practices for secure coding and database management to prevent similar vulnerabilities from occurring in the future.

Overall, it is crucial for organizations to take proactive steps to protect their systems and data from security threats. By staying up-to-date with security updates and following best practices, organizations can minimize the risk of vulnerabilities like CVE-2023-36934 and ensure the safety and security of their data.

We hope this post helped you know how to fix CVE-2023-36934, critical SQL Injection vulnerabilities in MOVEit Transfer Solution. Please share this post if you find this interested. Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.