A newly disclosed critical security flaw impacting Progress Software MOVEit Transfer is already seeing exploitation attempts in the wild shortly after details of the bug were publicly disclosed.
The vulnerability, tracked as CVE-2024-5806 (CVSS score: 9.1), concerns an authentication bypass that impacts the following versions -
- From 2023.0.0 before 2023.0.11
- From 2023.1.0 before 2023.1.6, and
- From 2024.0.0 before 2024.0.2
"Improper authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass," the company said in an advisory released Tuesday.
Progress has also addressed another critical SFTP-associated authentication bypass vulnerability (CVE-2024-5805, CVSS score: 9.1) affecting MOVEit Gateway version 2024.0.0.
Successful exploitation of the flaws could allow attackers to bypass SFTP authentication and gain access to MOVEit Transfer and Gateway systems.
watchTowr Labs has since published additional technical specifics about CVE-2024-5806, with security researchers Aliz Hammond and Sina Kheirkhah noting that it could be weaponized to impersonate any user on the server.
The cybersecurity company further described the flaw as comprising two separate vulnerabilities, one in Progress MOVEit and the other in the IPWorks SSH library.
"While the more devastating vulnerability, the ability to impersonate arbitrary users, is unique to MOVEit, the less impactful (but still very real) forced authentication vulnerability is likely to affect all applications that use the IPWorks SSH server," the researchers said.
Progress Software said the shortcoming in the third-party component "elevates the risk of the original issue" if left unpatched, urging customers to follow the below two steps -
- Block public inbound RDP access to MOVEit Transfer server(s)
- Limit outbound access to only known trusted endpoints from MOVEit Transfer server(s)
According to Rapid7, there are three prerequisites to leveraging CVE-2024-5806: Attackers need to have knowledge of an existing username, the target account can authenticate remotely, and the SFTP service is publicly accessible over the internet.
As of June 25, data gathered by Censys shows that there are around 2,700 MOVEit Transfer instances online, most of them located in the U.S., the U.K., Germany, the Netherlands, Canada, Switzerland, Australia, France, Ireland, and Denmark.
With another critical issue in MOVEit Transfer widely abused in a spate of Cl0p ransomware attacks last year (CVE-2023-34362, CVSS score: 9.8), it's essential that users move quickly to update to the latest versions.
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that its Chemical Security Assessment Tool (CSAT) was targeted earlier this January by an unknown threat actor by taking advantage of security flaws in the Ivanti Connect Secure (ICS) appliance (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893).
"This intrusion may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program (PSP) submissions, and CSAT user accounts," the agency said, adding it found no evidence of data exfiltration.
Update
Progress Software, in a statement shared with The Hacker News, said "we have not received any reports that these vulnerabilities have been exploited and we are not aware of any direct operational impact to customers."
"We have already fixed the issue and are working on notifying and advising affected customers about the impact," Gent Hito, president and CEO of /n software, which maintains IPWorks SSH, told the publication.
"The scope of the vulnerability is dependent on how developers use the component and we expect it to be limited. It's worth noting that the security researchers notified us just 24 hours before release on Monday, while they had known and worked on this for weeks – which is regrettable."
/n software Provides Info about CVE-2024-5806
The maker of IPWorks SSH has noted in an alert that the authentication bypass only occurs "after a developer has accepted the user's credentials without verification." It also said it took steps to prevent all unintended file and network access requests as part of the library update.
(The story has been updated after publication to emphasize that the attacks are exploitation attempts at this stage.)