Progress Software has issued an advisory regarding a critical SQL injection vulnerability, tracked as CVE-2023-35708, affecting its MOVEit Transfer solution. This vulnerability could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database and contents. In this post, we will provide an overview of the vulnerability, affected versions, and how to fix CVE-2023-35708, critical SQL Injection vulnerabilities in MOVEit Transfer Solution.
Introduction to MOVEit Transfer Solution
MOVEit Transfer is a managed file transfer solution that enables organizations to securely transfer sensitive data between systems and users. It supports multiple protocols like SFTP, FTPS, HTTPS, AS2, etc, and provides encryption to safeguard data. MOVEit Transfer also helps organizations meet compliance requirements related to data security and privacy.
Key features include:
- Secure file transfers with encryption
- Automated and scheduled file transfers
- Detailed activity logs and audit trails
- Compliance with regulations like HIPAA, PCI DSS, GDPR, etc.
- Integration with LDAP, SIEM, and other enterprise systems
- Intuitive web interface and mobile access
Summary of the Vulnerability
- Vendor: Progress Software
- Product: MOVEit Transfer Solution
- Vulnerability Type: SQL Injection Vulnerability
- Base Score: 10 Critical
- Vector: CVSS:3.1/AV:N/AC:L/Au:N/C:C/I:C/A:C
CVE-2023-35708 is a critical severity SQL injection vulnerability affecting MOVEit Transfer versions before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7) and 2023.0.3 (15.0.3).
By sending specially crafted input to MOVEit Transfer endpoints, an attacker could exploit this vulnerability to modify and disclose the contents of the backend database. This could result in unauthorized data access and manipulation.
The vulnerability was reported to be actively exploited in the wild by threat actors in June 2022. It allows exploitation over both HTTP and HTTPS.
All versions of MOVEit Transfer before the patches released on June 15, 2022 are affected. This includes:
- 2020.1.x (12.1.x) and older unsupported versions
- 2021.0.x (13.0.x) before 2021.0.8 (13.0.8)
- 2021.1.x (13.1.x) before 2021.1.6 (13.1.6)
- 2022.0.x (14.0.x) before 2022.0.6 (14.0.6)
- 2022.1.x (14.1.x) before 2022.1.7 (14.1.7)
- 2023.0.x (15.0.x) before 2023.0.3 (15.0.3)
How to Fix CVE-2023-35708- A Critical SQL Injection Vulnerability in MOVEit Transfer Solution?
Progress Software has released patches to address this vulnerability. Users are strongly advised to apply the relevant patch based on their MOVEit Transfer version:
- For versions 2021.0.8 (13.0.8) onwards, apply the 2023.0.3 (15.0.3) patch
- For versions 2021.1.6 (13.1.6) onwards, apply the 2022.1.7 (14.1.7) patch
- For versions 2022.0.6 (14.0.6) onwards, apply the 2022.0.6 (14.0.6) patch
- For versions 2022.1.7 (14.1.7) onwards, apply the 2022.1.7 (14.1.7) patch
- For older unsupported versions, upgrade to a supported release first before patching
The patches are available as full installers and drop-in DLL files. Refer to Progress Software’s advisory for links and steps to apply patches correctly.
Recommended Immediate Mitigations
Progress Software has advised customers to urgently apply several mitigations while working on patching this vulnerability:
- Disable all HTTP and HTTPS traffic to the MOVEit Transfer environment using firewall rules. This will disrupt web UI, API and add-in access but block remote exploitation attempts.
- Access MOVEit Transfer locally via RDP as a temporary workaround. This allows admin functions while blocking remote traffic.
- Reset credentials of affected MOVEit systems and service accounts. Eliminate unauthorized users or tokens.
- Check systems for signs of compromise like unexpected file downloads, new scripts or binaries. Threat actors often leave artifacts on breached systems.
- Closely monitor logs and transfers for anomalies indicating potential exploitation.
Applying Vendor Patches to Fix CVE-2023-35708
Progress Software has released patches resolving this SQL injection flaw for supported MOVEit Transfer versions:
- 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7) and 2023.0.3 (15.0.3)
For MOVEit Transfer 2021.0.x, 2021.1.x, 2022.0.x, 2022.1.x and 2023.0.x, users should download and install the relevant fixed release from the vendor advisory.
Those on older unsupported editions like 2020.1.x or 12.0.x must upgrade to a supported version first before installing the patches.
The fixes are available both as full installers and drop-in DLL packages. The DLLs allow quicker updating by just replacing a few binaries instead of full installations. Refer to Progress’ documentation for steps on applying patches correctly.
It is critical that customers immediately update their MOVEit Transfer deployments to close this SQL injection vulnerability before threat actors can exploit it for data theft, destruction or disruption.
Ongoing Security Best Practices
In addition to applying these specific fixes, organizations should adopt these best practices to enhance MOVEit Transfer security:
- Maintain comprehensive and frequently updated backups in case of ransomware or data loss.
- Harden the underlying server operating system through controls like firewalls, limited user accounts and endpoint monitoring.
- Perform periodic penetration testing and vulnerability scans to identify risks proactively.
- Install MOVEit patches, updates and new versions promptly when released.
- Enable logging and monitoring to quickly detect unauthorized access or transfers.
- Segment MOVEit Transfer into its own virtual LAN with controlled internet access.
Combining prompt patching with robust hardening and logging enables organizations to minimize future SQL injection and other application-layer threats against MOVEit Transfer deployments.
SQL injection vulnerabilities like CVE-2023-35708 demand urgent attention before malicious actors exploit them to compromise sensitive data. MOVEit Transfer users should follow Progress Software’s recommendations to mitigate and patch this high-risk vulnerability. Along with patching, adopting ongoing security best practices is key to protecting MOVEit Transfer’s confidentiality, integrity and availability.