Update. Progress Software has now examined and revealed a patch for the “irresponsibly disclosed” vulnerability (CVE-2023-35708) described under. Turn off internet entry to MOVEit Transfer till you’ve utilized this newest patch. [2023-06-17-19:00:00Z]
Yet extra MOVEit mayhem!
“Disable HTTP and HTTPS traffic to MOVEit Transfer,” mentioned Progress Software, and the timeframe for doing so was “immediately”, no ifs, no buts.
Progress Software is the maker of file-sharing software program MOVEit Transfer, and the hosted MOVEit Cloud different that’s primarily based on it, and that is its third warning in three weeks about hackable vulnerabilities in its product.
At the tip of May 2023, cyberextortion criminals related to the Clop ransomware gang had been discovered to be utilizing a zero-day exploit to interrupt into servers working the MOVEit product’s internet front-end.
By sending intentionally malformed SQL database instructions to a MOVEit Transfer server through its internet portal, the criminals might entry database tables without having a password, and implant malware that allowed them to return to compromised servers in a while, even when they’d been patched within the meantime.
The attackers have apparently been stealing trophy firm information, resembling worker payroll particulars, and demanding blackmail funds in return for “deleting” the stolen information.
We explained, again at the beginning of June 2023, patch in opposition to this bug (CVE-2023-34362), and what you possibly can search for in case the crooks had already paid you a go to:
Second warning
That warning was adopted, final week, by an replace from Progress Software.
While investigating the zero-day gap that they’d simply patched, Progress builders uncovered related programming flaws elsewhere within the code (CVE-2023-35036).
The firm due to this fact revealed a additional patch, urging clients to use this new replace proactively, assuming that the crooks (whose zero-day had simply been rendered ineffective by the primary patch) would additionally keenly be on the lookout for different methods to interrupt again in:
Unsurprisingly, bugs of a feather usually flock collectively, as we defined on this week’s Naked Security podcast:
[On 2023-06-09, Progress put] one other patch out to take care of related bugs that, so far as they know, the crooks haven’t discovered but (but when they appear arduous sufficient, they could).
And, as bizarre as that sounds, while you discover {that a} explicit a part of your software program has a bug of a selected type, you shouldn’t be stunned if, while you dig deeper…
…you discover that the programmer (or the programming staff who labored on it on the time that the bug you already find out about bought launched) dedicated related errors across the similar time.
Third time unfortunate
Well, lightning struck the identical place for the third time in fast succession.
The third time, it appears as if somebody carried out what’s identified within the jargon as a “full disclosure” (the place bugs are revealed to the world similtaneously to the seller, thus giving the seller no respiratory room to publish a patch proactively), or “dropping an 0-day”.
Progress reported:
Today [2023-06-15], a third-party publicly posted a brand new [SQL injection] vulnerability. We have taken HTTPS visitors down for MOVEit Cloud in mild of the newly revealed vulnerability and are asking all MOVEit Transfer clients to right away take down their HTTP and HTTPS visitors to safeguard their environments whereas the patch is finalized. We are at present testing the patch and we’ll replace clients shortly.
Simply put, there was a short zero-day interval throughout which the brand new vulnerability (CVE-2023-35708) was circulating, however a patch wasn’t but examined and prepared for launch.
As Progress has talked about earlier than, this group of so-called command injection bugs (the place you ship in what must be innocent information that later will get invoked as a server command) can solely be triggered through MOVEit’s web-based portal, utilizing HTTP or HTTPS requests.
Fortunately, that meant you didn’t must shut down your whole MOVEit system to mitigate the bugs earlier than patching them, solely web-based entry.
What to do?
Quoting from Progress Software’s recommendation doc dated 2023-06-15:
Disable all HTTP and HTTPs visitors to your MOVEit Transfer atmosphere. More particularly:
- Modify firewall guidelines to disclaim HTTP and HTTPs visitors to MOVEit Transfer on ports 80 and 443.
- It is vital to notice that till HTTP and HTTPS visitors is enabled once more:
- Users will be unable to go online to the MOVEit Transfer internet UI.
- MOVEit Automation duties that use the native MOVEit Transfer host won’t work.
- REST, Java and .NET APIs won’t work.
- MOVEit Transfer add-in for Outlook won’t work.
- SFTP and FTP/s protocols will proceed to work as regular
Progress Software’s patch has now been examined and revealed, so when you’ve utilized the brand new replace you may, in principle, flip internet entry again on…
…although we’d sympathise should you determined to maintain it turned of for some time longer, simply to make sure, to make sure.
THREAT HUNTING TIPS FOR SOPHOS CUSTOMERS