Progress Software has issued an advisory for a critical zero-day SQL Injection vulnerability in their MOVEit Transfer Solution. This vulnerability, initially disclosed on May 31, 2023, was assigned a CVE ID a few days later and is now tracked as CVE-2023-34362. It has received the maximum CVSS score of 10 out of 10, indicating its high severity. According to the advisory, this SQL Injection vulnerability could permit attackers to gain unauthorized access to the database of the MOVEit Transfer web application. Progress Software has issued a warning about the active exploitation of this vulnerability by the Cl0p ransomware gang. Microsoft linked the Cl0p ransomware group, associated with data-theft attacks on MOVEit, which can result in the theft or deletion of files or the encryption of files with a ransom demand attached. It is critical for MOVEit Transfer users to promptly update their systems to safeguard against this threat.
In this post, we’ll delve into what a zero-day vulnerability is, how to fix CVE-2023-34362, a critical zero-day SQL Injection vulnerability in the MOVEit Transfer Solution, and how to mitigate this serious issue.
What Is a Zero-Day?
A “Zero-Day” is a term used to describe a software vulnerability that is found by malicious actors before the software vendor becomes aware of it. Because the vendor doesn’t yet know about the issue, there’s no available patch to fix the vulnerability, making it more likely that an attack exploiting this vulnerability will succeed.
In this particular scenario, the vulnerability, labeled CVE-2023-34362, was initially discovered as a zero-day vulnerability. However, a patch to fix this vulnerability has been recently released for the impacted software.
A Short Introduction About MOVEit Transfer Solution
MOVEit Transfer, formerly known as Ipswitch MOVEit, is a comprehensive solution for secure file transfer. It is designed by Progress Software Corporation to ensure safe, reliable, and compliant transfers of sensitive data across networks. MOVEit Transfer offers both manual and automated file-transferring capabilities, and it supports a wide variety of security protocols to safeguard data during transit and at rest.
The solution is known for its robust security measures, including encryption, activity logging, and compliance with a variety of regulatory standards such as HIPAA, PCI, and GDPR. Furthermore, MOVEit Transfer provides versatile management features, enabling users to control and monitor all file transfer activities.
In addition to its high-level security and control, MOVEit Transfer also provides convenience and efficiency. It offers a user-friendly interface and is capable of integrating with a variety of systems and services, making it a flexible choice for businesses of all sizes and industries.
Summary of CVE-2023-34362
- Vendor: Progress Software
- Product: MOVEit Transfer Solution
- Vulnerability Type: SQL Injection Vulnerability
- Base Score: 10 Critical
- Vector: CVSS:3.1/AV:N/AC:L/Au:N/C:C/I:C/A:C
CVE-2023-34362 is a vulnerability found in the MOVEit Transfer web application. It relates to a SQL injection issue that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database. This could occur in versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1).
The type of database engine being used (MySQL, Microsoft SQL Server, or Azure SQL) could influence the potential impact of the attack. An attacker might be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements.
This vulnerability was reportedly exploited by the threat actor group known as Lace Tempest, linked to Cl0p ransomware in the wild in May and June 2023. Unpatched systems can be exploited via either HTTP or HTTPS. All versions, including older unsupported ones, before the five explicitly mentioned versions are also affected.
Attacker Behavior – Technical Details
As per the research conducted by Rapid7, multiple web shells were observed in the same name, which indicates this can be an automated attack. Based on the observations made, the behavior of the adversary seems to be more opportunistic rather than specifically targeted. The consistent nature of the evidence we have encountered suggests that a single threat actor may be indiscriminately deploying a single exploit against vulnerable targets.
The threat actors are utilizing a recently discovered LEMURLOOT web shell that is disguised as human.aspx, a legitimate component of the MOVEit Transfer software.
LEMURLOOT is equipped with features specifically designed to operate on a system running MOVEit Transfer software. These functionalities include generating commands to gather information about files and directories, retrieving configuration details, as well as creating or removing a user with a pre-set name.
Preliminary analysis indicates that the LEMURLOOT web shell is being utilized to extract data that was previously uploaded by users of individual MOVEit Transfer systems.
As per the analysis by Mandiant has knowledge of numerous instances where significant quantities of files have been unlawfully obtained from the MOVEit transfer systems of victims. LEMURLOOT has the capability to pilfer Azure Storage Blob details, including credentials, from the application settings of MOVEit Transfer. This implies that threat actors exploiting this vulnerability may be pilfering files from Azure in situations where victims have stored appliance data in Azure Blob storage, although it remains uncertain if the theft is restricted solely to data stored in this manner.
Product Affected by CVE-2023-34362
All versions of MOVEit Transfer prior to the May 31, 2023 patch are vulnerable to this exploit. Remediation measures include updating to the patched version of the software, setting firewall rules to deny HTTP and HTTPS traffic to MOVEit Transfer on ports 80 and 443 until the patch is applied, and checking for indicators of compromise dating back at least a month.
|Affected Version||Fixed Version||Documentation|
|MOVEit Transfer 2023.0.0 (15.0)||MOVEit Transfer 2023.0.1||MOVEit 2023 Upgrade Documentation|
|MOVEit Transfer 2022.1.x (14.1)||MOVEit Transfer 2022.1.5||MOVEit 2022 Upgrade Documentation|
|MOVEit Transfer 2022.0.x (14.0)||MOVEit Transfer 2022.0.4|
|MOVEit Transfer 2021.1.x (13.1)||MOVEit Transfer 2021.1.4||MOVEit 2021 Upgrade Documentation|
|MOVEit Transfer 2021.0.x (13.0)||MOVEit Transfer 2021.0.6|
|MOVEit Transfer 2020.1.x (12.1)||Special Patch Available||See KB 000234559|
|MOVEit Transfer 2020.0.x (12.0) or older||MUST upgrade to a supported version||See MOVEit Transfer Upgrade and Migration Guide|
|MOVEit Cloud||MOVEit Transfer 126.96.36.199||All MOVEit Cloud systems are fully patched at this time.|
|MOVEit Transfer 188.8.131.52||Cloud Status Page|
Table 1: Affected Versions (Source: Progress)
How to Fix CVE-2023-34362- A Critical 0-Day SQL Injection Vulnerability in MOVEit Transfer Solution?
Progress Software responded to this critical 0-day SQL Injection vulnerability by releasing the patches. Please refer to the table from the above section to get the affected and corresponding fixed versions with links to documentation. Since patches are available, we recommend updating the patches as soon as possible to fix the CVE-2023-34362 vulnerability.
The vendor released a few mitigation steps on top of the patches.
- As mentioned above, attackers utilize HTTP and HTTPS traffic, hence disabling all HTTP and HTTPS communication to the MOVEit application.
- Modify rules on the firewall to deny communication to MOVEit on ports 80 and 443
- FTP and SFTP will still work as normal and can be accessed by admins via RDP
- Unauthorized files and user accounts should be deleted, and It is recommended to reset the credentials for the affected systems and the MOVEit Service Account.
- Delete any files with the prefix “human2.aspx” and any “.cmdline” script files.
- Check the “C:MOVEitTransferwwwroot” directory on the MOVEit Transfer server for any newly created files.
- Check the “C:WindowsTEMP[random]” directory on the MOVEit Transfer server for new files with a “.cmdline” file extension.
- Look for new “APP_WEB_[random].dll” files in the “C:WindowsMicrosoft.NETFramework64[version]Temporary ASP.NET Filesroot[random][random]” directory on the MOVEit Transfer server.
- Stop IIS by running the command “iisreset /stop”.
- Delete all “APP_WEB_[random].dll” files in the “C:WindowsMicrosoft.NETFramework64[version]Temporary ASP.NET Filesroot[random][random]” directory.
- Start IIS by running the command “iisreset /start”. Note that the web application will rebuild these files properly upon the next access, and it is normal to have at least one “APP_WEB_[random].dll” file in this directory.
- Remove any unauthorized user accounts, referring to the Progress MOVEit Users Documentation for guidance.
- Review logs for unexpected downloads of files from unknown IPs or a large number of file downloads. Refer to the MOVEit Transfer Logs guide for more information on log review.
The full updated IOC file is available on the official page of the progress community.
As per the recent tweet from Microsoft, the attack is attributed to Lace Tempest and the Clop ransomware gang. This is suspected because the method used by the ransomware gang is similar to the ongoing attack. It is also recommended to update firewall rules and harden security policies for better security.