Skip to main content

Progress Software Releases July 2023 Service Pack for MOVEit Transfer

Service pack includes security updates for 3 vulnerabilities, 1 Critical and 2 High

Threat ID:
CC-4351
Threat Severity:
Medium
Published:
6 July 2023 3:15 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Service pack includes security updates for 3 vulnerabilities, 1 Critical and 2 High

Affected platforms

The following platforms are known to be affected:

Versions: 12.1.6, 12.1.7, 12.1.8

Progress (formerly Ipswitch) MOVEit Transfer

Threat details

Unsupported versions of MOVEit Transfer also affected.

Progress Software state in the advisory that MOVEit Transfer 2020.0.x (12.0.x) and older MOVEit Transfer products are also affected but will not receive updates. Progress encourages customers to upgrade to a supported version.

Introduction

Progress (formerly Ipswitch) has released security updates for three vulnerabilities found in the MOVEit Transfer web application, a managed secure file transfer tool.

Note: Recent MOVEit Transfer vulnerabilities from May and June of 2023 have been widely exploited by threat groups, most notably the CL0P ransomware group.

Vulnerability details

  • CVE-2023-36934 is a critical SQL injection vulnerability that could allow a remote, unauthenticated attacker to bypass authentication, gain access to the environment, and access or modify MOVEit database content.
  • CVE-2023-36933 is an unhandled exception vulnerability that could allow an attacker to cause the application to terminate unexpectedly. 
  • CVE-2023-36932 is SQL injection vulnerability that could allow an authenticated attacker to submit a crafted payload to the endpoint, which could lead to modification and disclosure of MOVEit database content.

Remediation advice

Affected organisations are encouraged to review the Progress Community advisory MOVEit Transfer 2020.1 (12.1) Service Pack (July 2023) and apply updates as soon as practicable. 

Remediation steps

Type Step
Guidance

There are two paths to take, depending on if you have applied the remediation and patching steps from the MOVEit Transfer Critical Vulnerability (May 2023):
Patch

Have applied May 2023 (CVE-2023-34362) patch and followed the remediation steps: Update with the associated Fixed Version (drop-in DLLs).
Patch

Have NOT applied May 2023 (CVE-2023-34362) patch and followed the remediation steps: Follow all the remediation steps  in the following article: MOVEit Transfer Critical Vulnerability (May 2023). Afterwards, update with the associated Fixed Version (drop-in DLLs).
Guidance

IMPORTANT: Please read the README.txt before attempting the DLL Drop-in Install.

  • Do not leave old versions of these DLL files on the system. They must be completely removed, not just renamed. 
  • When shutting down MOVEit Transfer services (step 1), it is necessary to also stop the IIS services (World Wide Web Publishing Services) to successfully replace the old DLLs. Once the new files are copied to their respective destinations, restart both the MOVEit Transfer and IIS services.

Last edited: 6 July 2023 4:31 pm