Just in Time Bulletin: CVE-2023-34362 SQL Injection in Progress MOVEit Transfer Software

What is CVE-2023-34362? 

Progress has discovered a SQL injection vulnerability in the MOVEit Transfer web application (before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1)) that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database via escalated privileges and potentially unauthorized access to the environment. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements.

How bad is this?

This vulnerability is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.

Active exploitation today: This vulnerability is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.

Severity: Critical

Exploitation of SQL injection is performed in an unauthenticated fashion and allows the exfiltration of critical data included in the backend database. In certain cases, SQL injection could lead to a privilege escalation allowing for an OS command execution in the underneath operating system.

Who is affected by this? 

All MOVEit Transfer versions are affected by this vulnerability. See the table below for the security patch for each supported version. Customers on unsupported versions should upgrade to one of the supported fixed versions below. 

Based on our review of this situation to date, the following products are not susceptible to this SQL Injection Vulnerability in MOVEit Transfer: MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics, and MOVEit Freely. At this time, no action is necessary for the above-mentioned products.

Patches for all supported MOVEit Transfer versions are available below. Supported versions are listed at the following link: https://community.progress.com/s/products/moveit/product-lifecycle. Please note, the license file can remain the same to apply the patch.

How is it exploited? 

It is pretty easy to prove that the software is vulnerable to SQL injection. It is sufficient to insert a “ ‘ “ character into the vulnerable parameter and then the application should respond with a SQL-based error in the screen.

How do I protect myself?

To help prevent successful exploitation of the mentioned SQLi vulnerability to your MOVEit Transfer environment, we strongly recommend that you immediately apply the following mitigation measures per the steps below.

1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environmentMore specifically, modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.It is important to note, that until HTTP and HTTPS traffic is enabled again:
   • Users will not be able to log on to the MOVEit Transfer web UI  
   • MOVEit Automation tasks that use the native MOVEit Transfer host will not work 
   • REST, Java and .NET APIs will not work 
   • MOVEit Transfer add-in for Outlook will not work 

   Please note: SFTP and FTP/s protocols will continue to work as normal. Administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/.  For more information on localhost connections, please refer to MOVEit Transfer Help.

2. Review, Delete and Reseta. Delete Unauthorized Files and User Accounts
   • Delete any instances of the human2.aspx and .cmdline script files.
   • On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.
   • On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline
   • Remove any unauthorized user accounts. See Progress MOVEit Users Documentation article.
   • Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded. For more information on reviewing logs, please refer to MOVEit Transfer Logs guide.
   • Review IIS logs for any events including GET /human2.aspx.  Large numbers of log entries or entries with large data sizes may indicate unexpected file downloads
   • If applicable, review Azure logs for unauthorized access to Azure Blob Storage Keys and consider rotating any potentially affected keys.

              b. Reset Credentials

• • Reset service account credentials for affected systems and MOVEit Service Account. See KB 000115941.

3. Apply the PatchPatches for all supported MOVEit Transfer versions are available below. Supported versions are listed at the following link: https://community.progress.com/s/products/moveit/product-lifecycle. Please note, the license file can remain the same to apply the patch.

4. Verificationa. To confirm the files have been successfully deleted and no unauthorized accounts remain, follow steps 2A again. If you do find indicators of compromise, you should reset the service account credentials again.

5. Enable all HTTP and HTTPs traffic to your MOVEit Transfer environment
6. Continuous Monitoringa. Monitor network, endpoints, and logs for IoCs (Indicators of Compromise) as listed in the table below.

Additional Security Best Practices

If you are unable to follow the recommended mitigation steps above, we strongly suggest taking the below security steps to help reduce risk to your MOVEit Transfer environment from unauthorized access. It’s important to note, these are not considered mitigation steps to the mentioned vulnerability.

Please see here for MOVEit Security Best Practices.

• Update network firewall rules to only allow connections to the MOVEit Transfer infrastructure from known trusted IP addresses.
• Review and remove any unauthorized user accounts. See Progress MOVEit Users Documentation article.
• Update remote access policies to only allow inbound connections from known and trusted IP addresses. For more information on restricting remote access, please refer to SysAdmin Remote Access Rules and Security Policies Remote Access guide.
• Allow inbound access only from trusted entities (e.g., using certificate-based access control).

Enable multi-factor authentication. Multi-factor authentication (MFA) protects MOVEit Transfer accounts from unverified users when a user’s account password is lost, stolen, or compromised. To enable MFA, please refer to the MOVEit Transfer Multi-factor Authentication Documentation.

NopSec’s Thoughts

 In order to take the simple exploitation further, an attacker could use the ‘sqlmap’ tool – https://github.com/sqlmapproject/sqlmap – to extract database information and other data.

Additional Resources About CVE-2023-34362

• MOVEit Security Best Practices Guide
• Upgrade and/or Migration Guide for MOVEit Automation and MOVEit Transfer
• CVE-2023-34362 (NIST)
• CVE-2023-34362
• Mandiant MOVEit Zero-Day Blog
• Velociraptor – MOVEIt CVE-2023-34362 Detection 
• Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability 
• Microsoft Security Intelligence
• Movin’ Out: Identifying Data Exfiltration in MOVEit Transfer Investigations 

*Special thank you to Mandiant, Crowdstrike, Rapid7, Microsoft, and CISA