Customers of MOVEit are being urged by Progress Software to update their software in less than a month to address a third severe vulnerability.
According to the most recent vulnerability, identified as CVE-2023-35708, an unauthenticated attacker may be able acquire escalated privileges and gain entry to the MOVEit Transfer database through a SQL injection bug.
In a warning, Progress states that, “an attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.”
Versions of MOVEit Transfer prior to 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3) are affected by the vulnerability.
On June 15, proof-of-concept (PoC) code aimed at exploiting the flaw was made available. Progress quickly responded, noting that the flaw was made public "in a way that did not follow normal industry standards."
After a zero-day vulnerability was discovered on May 31 and a second severe bug was patched a week later, Progress has now fixed three critical SQL injection flaws in its MOVEit products in around three weeks. CVE-2023-35708 is the most recent of these.
Security experts discovered evidence indicating that exploitation may have begun two years prior to the initial flaw, CVE-2023-34362, which only began to be widely exploited in late May.
Attacks on the MOVEit zero-day have affected more than 100 organisations. The Cl0p ransomware gang is responsible for the most recent campaign, and it has begun naming some of the victims in public.
The British Broadcasting Corporation, British Airways, Aer Lingus, the Nova Scotia government, the U.S. Department of Energy, the Louisiana Office of Motor Vehicles, the Oregon Department of Transportation, the University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE) are just a few of the organisations that have been identified as victims to date.
Austria, France, Germany, Luxembourg, the Netherlands, Switzerland, the United Kingdom, and the United States all have victims. Malwarebytes adds that the majority of the victims are in the US.
On June 9, CVE-2023-35036, the second vulnerability, was made public; however, it does not seem to have been used in the wild. Even though Progress claims to be unaware of any exploits for CVE-2023-35708, it advises users to install the most recent updates as soon as feasible.
“All MOVEit Transfer customers must take action and apply the patch to address the June 15th CVE-2023-35708 vulnerability discovered in MOVEit Transfer,” the company added.
Customers should stop HTTP and HTTPS traffic, limiting access to localhost only, apply the updates that are available (the June 15th patch also fixes the prior vulnerabilities), and then re-enable HTTP and HTTPS traffic to prevent unauthorised access to the MOVEit Transfer environment.
To fix the issues, Progress has published both DLL drop-in fixes and entire MOVEit Transfer installers. The company's advisory provides more details on how to apply the updates.