Authentication Bypasses in MOVEit Transfer and MOVEit Gateway

On June 25, 2024, Progress Software published information on two new vulnerabilities in MOVEit Transfer and MOVEit Gateway:

• CVE-2024-5806, a critical authentication bypass affecting the MOVEit Transfer SFTP service in a default configuration; and
• CVE-2024-5805, a critical SFTP-associated authentication bypass vulnerability affecting MOVEit Gateway.

Attackers can exploit these improper authentication vulnerabilities to bypass SFTP authentication and gain access to MOVEit Transfer and MOVEit Gateway.

Note: On June 26, 2024, Progress Software updated the advisory for CVE-2024-5806 to state that “A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue.” The same day, the severity rating for CVE-2024-5806 was changed from “High” to “Critical.” The advisory also now includes two new mitigation recommendations: “Verify you have blocked public inbound RDP access to MOVEit Transfer server(s)” and “Limit outbound access to only known trusted endpoints from MOVEit Transfer server(s).” It appears from vendor communications and public discourse that the proof-of-concept exploit code released for MOVEit Transfer on June 25 may have also included a net-new zero-day vulnerability that both Progress Software and the third-party library producer had previously been unaware of.

CVE-2024-5806 is an improper authentication vulnerability affecting the MOVEit Transfer SFTP service that can lead to authentication bypass; the exploit chain that was publicly released on June 25 also allows for the theft of Windows service account credentials via forced authentication (it’s unclear as of June 26 whether credential theft via forced authentication is part of the original CVE-2024-5806 issue or a completely separate new vulnerability that was surprise-disclosed to Progress Software and the third-party library producer).

Rapid7 researchers tested a MOVEit Transfer 2023.0.1 instance, which appeared to be vulnerable to CVE-2024-5806 in the default configuration. As of June 25, the known criteria for exploitation of the authentication bypass are threefold: that attackers have knowledge of an existing username, that the target account can authenticate remotely, and that the SFTP service is exposed. It’s possible that attackers may spray usernames to identify valid accounts. The forced authentication attack can be performed if the host system’s firewall permits egress traffic for protocols that Windows will automatically authenticate over, such as SMB. Rapid7 recommends installing the vendor-provided patches for CVE-2024-5806 on an emergency basis, without waiting for a regular patch cycle to occur.

Notably, Rapid7 observed that installers for the patched (latest) version of MOVEit Transfer have been available on VirusTotal since at least June 11, 2024. Vulnerability details and proof-of-concept exploit code are publicly available for MOVEit Transfer CVE-2024-5806 as of June 25, 2024. Security nonprofit Shadowserver has reported exploit attempts against their honeypots as of the evening of June 25 (note that honeypot activity does not always correlate to threat activity in real-world production environments).

MOVEit Gateway CVE-2024-5805

According to Progress Software’s advisory, CVE-2024-5805 is a critical authentication bypass vulnerability that affects the SFTP feature of the MOVEit Gateway software in version 2024.0.0; earlier versions do not appear to be vulnerable, which likely limits available attack surface area. MOVEit Gateway is an optional component designed to proxy traffic to and from MOVEit Transfer instances. A patch is available for CVE-2024-5805 and should be applied on an emergency basis for organizations running MOVEit Gateway.

Mitigation guidance

Progress MOVEit is an enterprise file transfer suite, which inherently makes it a highly desirable target for threat actors. Since enterprise file transfer software typically holds a large volume of confidential data, smash-and-grab attackers target these solutions to extort victims. In June 2023, an unauthenticated attack chain targeting MOVEit Transfer was widely exploited by the Cl0p ransomware group. Shodan queries indicate that there are approximately 1,000 public-facing MOVEit Transfer SFTP servers and approximately 70 public-facing MOVEit Gateway SFTP servers. (Note that not all of these may be vulnerable to these latest CVEs.)

MOVEit customers should apply vendor-provided updates for both vulnerabilities immediately.

The following versions of MOVEit Transfer are vulnerable to CVE-2024-5806:

• MOVEit Transfer 2023.0.x (fixed in MOVEit Transfer 2023.0.11)
• MOVEit Transfer 2023.1.x (fixed in MOVEit Transfer 2023.1.6)
• MOVEit Transfer 2024.0.x (fixed in MOVEit Transfer 2024.0.2)

Per the vendor guidance, customers should ensure they have blocked public inbound RDP access to their MOVEit Transfer server(s), and that they are limiting outbound access to only known trusted endpoints from MOVEit Transfer server(s). The advisory also notes that “Customers using the MOVEit Cloud environment were patched and are no longer vulnerable to this exploit.”

Only MOVEit Gateway 2024.0.0 is vulnerable to CVE-2024-5805, per the vendor advisory. The vulnerability is fixed in MOVEit Gateway 2024.0.1. The advisory indicates that “MOVEit Cloud does not use MOVEit Gateway, so no further action is needed by MOVEit Cloud customers.”

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2024-5805 and CVE-2024-5806 with authenticated vulnerability checks available in the June 25 content release.

Updates

June 25, 2024: Exploit attempts have been reported against honeypots. Rapid7 customer language updated to note general availability of InsightVM/Nexpose checks.

June 26, 2024: We’ve updated the blog to reflect changes in severity and guidance in the Progress Software advisory for CVE-2024-5806. On June 26, 2024, Progress Software updated the advisory for CVE-2024-5806 with “A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue.” The severity rating for CVE-2024-5806 was also changed from “High” to “Critical.”

It’s unclear as of June 26 whether the new “credential theft via forced authentication” aspect is part of the original CVE-2024-5806 issue or a completely separate new vulnerability that was released publicly before Progress Software or the third-party library producer were able to release fixes or mitigation guidance. Regardless, the advisory now includes two new mitigation recommendations: “Verify you have blocked public inbound RDP access to MOVEit Transfer server(s)” and “Limit outbound access to only known trusted endpoints from MOVEit Transfer server(s)”.

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.

Subscribe Now