Progress fixed a third flaw in MOVEit Transfer software

Progress Software addressed a third vulnerability impacting its MOVEit Transfer application that could lead to privilege escalation and information disclosure.

Progress Software disclosed a new SQL injection vulnerability impacting its MOVEit Transfer application, it is the third issue fixed by the company after:

CVE-2023-35036 (June 9, 2023)

CVE-2023-34362 (May 31, 2023)
“Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment.” reads the advisory published by Progress. “If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment.”

To prevent unauthorized access to the installs, the vendor urges customers to immediately apply the following mitigation measures until they are able to apply the June 15th patch (CVE Pending):    1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. Customers have to modify firewall rules to deny HTTP and HTTPs traffic to the software on ports 80 and 443. These settings will have the following drawbacks

Users will not be able to log on to the web UI of their MOVEit Transfer.   

MOVEit Automation tasks that use the native MOVEit Transfer host will not work  

REST, Java and .NET APIs will not work  

MOVEit Transfer add-in for Outlook will not work  
Recently Progress has released security updates to address new SQL injection vulnerabilities in the MOVEit Transfer application. An attacker can exploit the SQL injection vulnerabilities in the MOVEit Transfer solution to steal sensitive information

The vulnerabilities were discovered by researchers from the cybersecurity firm Huntress.

The good news is that Progress Software is not aware of attacks in the wild exploiting these vulnerabilities.

Recently another MOVEit software vulnerability, tracked as CVE-2023-34362, made the headlines.

The vulnerability is a SQL injection vulnerability, it can be exploited by an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database.

The Clop ransomware gang claims to have hacked hundreds of companies by exploiting the above issue.

Kroll researchers discovered that the Clop ransomware gang was looking for a zero-day exploit in the MOVEit software since 2021.

At the time of this writing, the Clop ransomware group already added 27 companies to the list of victims on its dark web leak site. The group claimed to have compromised the companies by exploiting the zero-day  CVE-2023-34362.

The group published the following message on its leak site to clarify the theft of data from government agencies reported by some media:

“WE GOT A LOT OF EMAILS ABOUT GOVERNMENT DATA, WE DON’T HAVE ANY GOVERNMENT DATA AND ANYTHING DIRECTLY RESIDING ON EXPOSED AND BAD PROTECTED NOT ENCRYPTED FILE TRANSFER WE STILL DO THE POLITE THING AND DELETE ALL. ALL MEDIA SPEAKING ABOUT THIS ARE DO WHAT ALWAYS THEY DO. PROVIDE LITTLE TRUTH IN A BIG LIE. WE ALSO WANT TO REMIND ALL COMPANY THAT IF YOU PUT DATA ON INTERNET WHERE DATA IS NOT PROTECT DO NOT BLAME US FOR PENETRATION TESTING SERVICE. WE ARE ONLY FINANCIAL MOTIVATED AND DO NOT CARE ANYTHING ABOUT POLITICS.“

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Clop)

The post Progress fixed a third flaw in MOVEit Transfer software appeared first on Security Affairs.