Additional Critical Vulnerability in Progress MOVEit Transfer

Progress have issued a security update to address a third SQL injection vulnerability in MOVEit Transfer (CVE-2023-35708)

Threat ID:: CC-4342
Threat Severity:: Medium
Published:: 16 June 2023 5:25 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Progress have issued a security update to address a third SQL injection vulnerability in MOVEit Transfer (CVE-2023-35708)

Affected platforms

The following platforms are known to be affected:

Versions: all MOVEit Transfer versions

Progress (formerly Ipswitch) MOVEit Transfer

Threat details

Introduction

Progress (formerly Ipswitch) has released a security update and mitigations for a critical SQL injection vulnerability found in the MOVEit Transfer web application, a managed secure file transfer tool. The critical vulnerability could allow a remote, unauthenticated attacker to escalate privileges, gain access to the environment and access or modify MOVEit database content.

Third MOVEit Transfer Vulnerability

The updates detailed in this alert refer to CVE-2023-35708 which was identified 15th June 2023. This represents the third vulnerability affecting MOVEit Transfer in as many weeks, following CVE-2023-34362 (31 May 2023) covered in CC-4326 and CVE-2023-35036 (9 June 2023). covered in CC-4335.

The remediation and mitigation steps listed below include and supersede advice provided in previous NHS Cyber Alerts.

Threat updates

Date	Update
15 Jun 2023	MOVEit Transfer Critical Vulnerability – CVE-2023-35708 (June 15, 2023) - Progress Community MOVEit Transfer Critical Vulnerability – CVE-2023-35708 (June 15, 2023) - Progress Community
9 Jun 2023	MOVEit Transfer Critical Vulnerability – CVE-2023-35036 (June 9, 2023) - Progress Community MOVEit Transfer Critical Vulnerability – CVE-2023-35036 (June 9, 2023) - Progress Community
31 May 2023	MOVEit Transfer Critical Vulnerability (May 2023) (CVE-2023-34362) - Progress Community MOVEit Transfer Critical Vulnerability (May 2023) (CVE-2023-34362) - Progress Community

Remediation advice

Affected organisations are encouraged to review the Progress Community advisory MOVEit Transfer Critical Vulnerability – CVE-2023-35708 - June 2023 and immediately apply mitigations and updates as soon as practicable.

Remediation steps

Type	Step
Patch	If you have NOT applied May 2023 patch: Follow all the remediation steps and patching in the following article: MOVEit Transfer Critical Vulnerability (May 2023) . That article contains the latest patches, which includes the fix for the June 9 (CVE-2023-35036) vulnerability as well as the original vulnerability from May 31 (CVE-2023-34362).
Patch	If you have already applied May 2023 (CVE-2023-34362) patch and followed the remediation steps: Proceed to the Immediate Mitigation Steps and apply the June 15 patch (CVE Pending) as outlined below. You will then be up to date for the vulnerabilities announced on May 31 (CVE-2023-34362), June 9 (CVE-2023-35036) and June 15 (CVE-2023-35708).. After you have done the above, proceed to the Immediate Mitigation Steps below.
Patch	If you have applied May 2023 (CVE-2023-34362) patch, followed the remediation steps and applied the June 9 (CVE-2023-35036) patch: Proceed to the Immediate Mitigation Steps and apply the June 15 patch (CVE-2023-35708) as outlined below. You will then be up to date for the vulnerabilities announced on May 31 (CVE-2023-34362), June 9 (CVE-2023-35036) and June 15 (CVE-2023-35708).
Action	Immediate Mitigation Steps 1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. More specifically:  Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443. It is important to note that until HTTP and HTTPS traffic is enabled again:  Users will not be able to log on to the MOVEit Transfer web UI   MOVEit Automation tasks that use the native MOVEit Transfer host will not work  REST, Java and .NET APIs will not work  MOVEit Transfer add-in for Outlook will not work  SFTP and FTP/s protocols will continue to work as normal  2. As a workaround, administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/. For more information on localhost connections, please refer to MOVEit Transfer Help: https://docs.progress.com/bundle/moveit-transfer-web-admin-help-2023/page/Security-Policies-Remote-Access_2.html 3. Apply the Patch - As patches for supported MOVEit Transfer versions become available, links will be provided below. Supported versions are listed at the following link: https://community.progress.com/s/products/moveit/product-lifecycle. Please note, the license file can remain the same when staying on a major release to apply the patch. 4. Enable all HTTP and HTTPs traffic to your MOVEit Transfer environment 5. Please bookmark the Progress Security Page and refer to it to ensure you have all of the latest updates.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2023-35708

In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. The availability date of fixed versions of the DLL drop-in is earlier than the availability date of fixed versions of the full installer. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).

Last edited: 16 June 2023 5:26 pm