MOVEit reports another SQLi flaw, advises systems lockout from internet.
Take action: Admins are exhausted of trying to patch and work on forensic effort of their MOVEit systems. Unfortunately, it's time to do a bit more effort - disable the HTTPS interface to the MOVEit instance, if nothing else to prevent another set of sleepless nights in forensics and log digging.
Learn More
The massive mess of MOVEit Transfer vulnerabilities continues - customers have been issued a new warning by Progress, to take precautionary measures due to the emergence of information regarding another flaw in the system.
The company advises customers to restrict all HTTP access to their MOVEit environments after details about a new SQL injection vulnerability were shared online. A patch to address this critical security bug is not currently available. Progress assures customers that one is being tested and will be released shortly.
Progress has identified a vulnerability in MOVEit Transfer that could potentially result in escalated privileges and unauthorized access to the environment. As a response to the newly published vulnerability, Progress has temporarily taken down HTTPS traffic for MOVEit Cloud. In addition, all MOVEit Transfer customers are urged to immediately disable their HTTP and HTTPS traffic to ensure the security of their environments until the patch is finalized.
While waiting for the security updates for affected versions of MOVEit Transfer, Progress strongly advises customers to modify their firewall rules and deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443.
This workaround will render the web interface useless, but apparently MOVEit can still be used via the SFTP and FTP/s protocols. Realistically, the usability of the product just went down many many levels.
During the workaround being active, Administrators needing Web UI access are advised to can access MOVEit Transfer by connecting to the Windows server through remote desktop and visiting https://localhost/.
Although Progress has not disclosed where the details of the new SQL injection flaw were shared, a security researcher has posted information on Twitter, including what appears to be proof-of-concept exploit code for a new zero-day bug in MOVEit Transfer. They clarified that they have not achieved Remote Code Execution (RCE) and that this vulnerability is not a bypass of any previous vulnerability but has its own attack path.
In the meantime the original zero-day vulnerability and the subsequent RCE exploit mechanism have enabled the Clop ransomware group has claimed responsibility for the attacks and breaching the servers of hundreds of companies and is now extorting organizations affected by the MOVEit data theft attacks. New reports of data breaches related to the MOVEit vulnerabilities are issued daily.
