MOVEit Transfer software has been identified as vulnerable to a critical vulnerability. This prompts customers to patch their systems urgently to prevent vulnerability spread. The flaw, identified as CVE-2023-36934, allows an attacker to gain elevated privileges without the user being prompted to authenticate. It also allows an attacker to execute arbitrary commands on an affected system without the user being required to do so.
The unfixable nature of this vulnerability can result in unauthorized access to information, data breaches, and disruptions to critical business functions. This is if the problem is not addressed. It is recommended that Barracuda MSP users apply the latest vendor patch as soon as possible to mitigate the risk in MOVEit Transfer.
An SQL injection vulnerability lets attackers execute code to gain access to a database or tamper with it by triggering a special query that causes the database to be compromised. There must be a lack of adequate input/output data sanitization in the target application to make these attacks possible.
In the past few months, Progress, the company that developed MOVEit Transfer, has discovered multiple SQL injection vulnerabilities, including one that can be exploited without authentication credentials in the application, named CVE-2023-36934.
There are several security flaws known as SQL Injection vulnerabilities. If exploited, attackers could manipulate databases and run any code they wanted. Some attacks are used to change or expose sensitive data in a database. This is done when the attackers send specially designed payloads to certain endpoints of the application that is affected.
Is There a Threat?
An unauthenticated remote attacker could exploit the CVE-2023-36934 vulnerability to execute arbitrary commands on vulnerable MOVEit Transfer systems without requiring authentication. An attacker can exploit this vulnerability by gaining access to the system without authorization, compromising sensitive data, or being able to perform malicious activities on the system with elevated privileges. The vulnerability can be exploited without any user interaction and authentication, which makes it extremely dangerous due to the lack of user interaction or authentication required.
A second vulnerability is referred to as CVE-2023-36932, while the third vulnerability is designated as CVE-2023-36933. Even though the CVE-2023-36932 vulnerability exists, attackers can exploit it while logged in to gain unauthorized access to the MOVEit Transfer database through the SQL injection flaw. MOVEit Transfer is vulnerable to a vulnerability called CVE-2023-36933, which is a vulnerability that can allow attackers to shut down the program unexpectedly in case they exploit it.
These vulnerabilities affect multiple MOVEit Transfer versions, including 12.1.10 and previous versions, 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and older, 14.1.7 and older, and 15.0.3 and previous versions.
Are There Any Risks or Exposures?
There is a potential for further compromise of the system as a result of this vulnerability.
Using the MOVEit Transfer software to gain unauthorized access to the affected system can then allow the attacker to exploit the compromised system and move laterally across the network as soon as they have gained access. There is a possibility that they will elevate privileges and compromise additional systems or resources as a result. There is a possibility of a massive breach to occur, as well as the exfiltration of sensitive information, or the disruption of interconnected systems within an organization as a result.
To exploit this vulnerability, there is no need for users to interact with it or provide authentication. Thus, this poses a significant risk to any organization that is using the affected software. In a wide range of industries, such as finance, healthcare, government, and manufacturing, companies say that secure file transfers are essential to the smooth operation of their organizations.
Depending on the severity of the damage caused, organizations handling sensitive or regulated forms of data, such as personally identifiable information (PII) or protected health information (PHI), may face severe consequences if this vulnerability leads to the compromise of this data. HackerOne and Trend Micro's Zero Day Initiative report that they have responsibly reported these vulnerabilities to Progress Software.
There are multiple vulnerabilities in the MOVEit Transfer product which affect the following versions: 12.1.10 and older, 13.0.8 and earlier, 13.1.6 and earlier, 14.0.6 and older, 14.1.7 and older, as well as 15.0.3 and older.
Several important updates have been made available by Progress Software to make MOVEit Transfer compatible with all major versions of the program.
To reduce the risks posed by these vulnerabilities, it is strongly recommended that users update their versions of MOVEit Transfer to the latest versions.