Security researchers from Watchtowr have uncovered a severe authentication bypass vulnerability in Progress MOVEit Transfer, a widely-used enterprise file transfer solution.
The vulnerability, identified as CVE-2024-5806, [CVSS: 7.4 (HIGH)] allows attackers to impersonate legitimate users and potentially access sensitive data without proper authentication.
Last year a vulnerability dubbed CVE-2023-34362in the same software, led to significant data breaches affecting organizations like the BBC,British Airways, Boots, FBI etc. This new finding has once again put MOVEit Transfer under intense scrutiny from cybersecurity experts and IT administrators alike.
According to a detailed analysis by watchTowr security researchers, the vulnerability stems from a complex interplay between Progress MOVEit and its underlying IPWorks SSH server component.
The flaw allows attackers to exploit the authentication process, potentially granting unauthorized access to any user account on the system.
The watchTowr team's investigation revealed that the vulnerability hinges on how MOVEit handles public key authentication in certain scenarios. By manipulating the authentication process, an attacker can trick the system into believing a valid public key has been presented, even when it hasn't.
What makes this vulnerability particularly concerning is the ease of exploitation. The researchers demonstrated that with knowledge of a valid username, an attacker could potentially:
- Upload a specially crafted public key to the server through a previously unknown method.
- Exploit the authentication process to gain access as the targeted user.
- Perform unauthorized actions such as reading, modifying, or deleting sensitive files.
Perhaps most alarmingly, the watchTowr team developed a method to exploit this vulnerability without needing prior access to the server.
By cleverly manipulating system log files, attackers can inject their malicious public key data, circumventing the need for legitimate file upload permissions.
The researchers noted that while the vulnerability requires knowledge of a valid username, this hurdle is relatively easy to overcome. They even outlined a method for enumerating valid usernames by exploiting the same vulnerability, further lowering the bar for potential attacks.
It's worth noting that Progress has already developed and released patches to address this vulnerability in MOVEit Transfer version 2024.0.2. The fix primarily involves changes to how authentication status codes are handled, preventing the erroneous authentication bypass.
However, the watchTowr team raised concerns about the broader implications of this vulnerability.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, and from 2024.0.0 before 2024.0.2.
They suggest that the underlying issue may affect other applications using the IPWorks SSH server component, potentially exposing a wider range of systems to similar attacks.
For system administrators and security teams, the researchers highlighted several indicators of compromise (IoCs) to watch for in log files:
- Failures to access the certificate store in the SftpServer.log file.
- Unusual log entries related to key fingerprints and authentication.
- Indications of keys being provided via file paths instead of as binary data.
Organizations using Progress MOVEit Transfer are strongly advised to:
- Update to the latest patched version (2024.0.2) immediately.
- Review system logs for any signs of exploitation attempts.
- Implement additional security controls such as IP whitelisting for user accounts where possible.
- Consider engaging in penetration testing or third-party security audits to identify any potential misconfigurations or vulnerabilities.
As the full impact of this vulnerability continues to unfold, it's clear that the cybersecurity community will be closely watching for any signs of active exploitation in the wild.