Progress Software has released a service pack that fixes three security vulnerabilities, including a critical zero-day SQL Injection vulnerability in their MOVEit Transfer Solution in July 2023 after the release of CVE-2023-34362 in June 2023. These vulnerabilities were tracked under the CVE IDs CVE-2023-36934, CVE-2023-36932, and CVE-2023-36933 are Critical and two High in severity vulnerabilities. According to the vendor, these vulnerabilities were disclosed after a series of cyberattacks targeted the CVE-2023-34362 vulnerability. CVSS scores are yet to provide. However, it is determined as a Critical vulnerability due to its exploitability nature. The critical flaw CVE-2023-36934 is capable of exploiting without logging in. This means attackers don’t need valid credentials to exploit the vulnerability.
Progress Software has left a note that there are no traces of active exploitation in the wild. It is critical for MOVEit Transfer users to promptly update their systems to safeguard against these threats. In this post, we’ll delve into what is SQL Injection attack, how to fix CVE-2023-36934, a critical SQL Injection vulnerability in the MOVEit Transfer Solution, and how to mitigate these serious issues.
A Short Note About SQL-Injection Attacks
In general, SQL Injection is a code injection technique that attackers use to exploit vulnerabilities in a web application’s database query software. It’s a very serious security issue that can lead to unauthorized access to sensitive data, including customer information, personal details, proprietary company data, and more.
The concept of an SQL Injection attack is pretty straightforward: instead of using the input fields of a web application for their intended purpose, an attacker provides specially crafted input data that can manipulate the SQL queries running in the backend. If not properly secured, these manipulated queries can allow the attacker to view, modify, or delete data that they should not have access to.
For example, imagine a simple login form where a user provides a username and password. Normally, the server-side code would create an SQL query something like “SELECT * FROM Users WHERE Username=’inputted_username’ AND Password=’inputted_password’”. If an attacker enters something like” ‘OR ‘1’=’1′ “in the username field, the resulting query might look like “SELECT * FROM Users WHERE Username=” OR ‘1’=’1′ AND Password=’whatever’”. Since ‘1’=’1′ is always true, this query will return data regardless of what the correct username or password should be, potentially granting the attacker access to the system.
A Short Introduction About MOVEit Transfer Solution
MOVEit Transfer is a comprehensive Managed File Transfer (MFT) solution that allows organizations to securely transfer sensitive data between business partners, customers, and employees, while meeting compliance requirements.
Key Features of MOVEit Transfer:
- Secure File Transfers: MOVEit Transfer supports numerous protocols like FTPS, SFTP, HTTPS, and AS2 to ensure secure data transfer. It employs high-grade encryption methods to protect data in transit and at rest.
- Regulatory Compliance: MOVEit Transfer helps organizations comply with various regulations, such as GDPR, HIPAA, PCI, and others, by providing detailed logging and tamper-evident audit trails.
- Automation Capabilities: The solution also offers the ability to automate file transfer tasks based on triggers and events, reducing the need for manual intervention.
- Integration: It is designed to integrate with existing IT infrastructure, including LDAP/AD for user authentication and SIEM systems for advanced monitoring and reporting.
- Scalability: MOVEit Transfer is scalable, meaning it can handle increasing amounts of data transfers as the business grows.
- User-Friendly Interface: The platform offers a web-based, user-friendly interface that makes it easy for users to securely send, receive and manage file transfers.
- Mobile Access: MOVEit provides a mobile app for convenient access to file transfer tasks on the go.
List of Security Vulnerabilities Patched in July’s Service Packs
MOVEit has covered three security vulnerabilities in its July month Service Pack. One is determined as a Critical SQL Injection vulnerability, and well other two are concluded as High in severity. Let’s see the summary of all three vulnerabilities here in this section.
Summary of CVE-2023-36934 (Severity: CRITICAL)
This is a critical SQL injection vulnerability discovered in the MOVEit Transfer web application, which was disclosed by Guy Lederfein of Trend Micro in collaboration with the Zero Day Initiative program. The vulnerability could potentially enable an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. It operates by allowing an attacker to submit a specially crafted payload to a MOVEit Transfer application endpoint, which could lead to unauthorized modification and disclosure of the MOVEit database content. This flaw affects versions of the application released before the following: 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4).
Summary of CVE-2023-36932 (Severity: HIGH)
This is a high-severity vulnerability found in MOVEit Transfer versions that were released before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4). The vulnerability, specifically, is a series of SQL injection weaknesses present in the MOVEit Transfer web application. These vulnerabilities could permit an authenticated attacker to gain unauthorized access to the MOVEit Transfer database. By creating and submitting a carefully crafted payload to a MOVEit Transfer application endpoint, the attacker could potentially modify and disclose MOVEit database content. The discovery credit for these vulnerabilities goes to HackerOne’s cchav3z and Nicolas Zilio, who was working with CrowdStrike, along with hoangha2, hoangnx, and duongdpt (Q5Ca) associated with VCSLAB of Viettel Cyber Security.
Summary of CVE-2023-36933 (Severity: HIGH)
This is a high-severity vulnerability discovered in the MOVEit Transfer web application, which was disclosed by jameshorseman from Hackerone. This vulnerability provides an opportunity for an attacker to invoke a certain method leading to an unhandled exception. When exploited, this vulnerability can trigger a sequence that could abruptly terminate the MOVEit Transfer application. The flaw is vulnerable to MOVEit Transfer versions launched before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4).
MOVEit Transfer application Versions Vulnerable to CVE-2023-36934 and Other Two Vulnerabilities
|CVE IDs||Severity||Vulnerable Versions|
|CVE-2023-36934||CRITICAL||MOVEit Transfer versions released before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), 2023.0.4 (15.0.4).|
|CVE-2023-36932||HIGH||MOVEit Transfer versions released before 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), 2023.0.4 (15.0.4).|
|CVE-2023-36933||HIGH||MOVEit Transfer versions released before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), 2023.0.4 (15.0.4).|
How to Fix CVE-2023-36934- A Critical SQL Injection Vulnerability in MOVEit Transfer Solution?
As per the advisory from Progress Software, before you fix the CVE-2023-36934 vulnerability, you should be aware that the May patches (CVE-2023-34362) were applied. It is mandatory to apply the patches of CVE-2023-34362 to proceed. Here are the two potential paths to choose from:
- If you have already applied the May 2023 (CVE-2023-34362) patch and adhered to the remediation steps: You should update with the corresponding Fixed Version utilizing drop-in DLLs.
- If you have NOT applied the May 2023 (CVE-2023-34362) patch or followed the remediation steps: You should first complete all the remediation steps outlined in the MOVEit Transfer Critical Vulnerability (May 2023) article. Once those steps are completed, you should update with the corresponding Fixed Version using drop-in DLLs.
The vendor recommends reading the README.txt file before attempting the DLL drop-in install. It’s important to entirely remove, not just rename, any old versions of these DLL files. When shutting down the MOVEit Transfer services (step 1), it’s also necessary to stop the IIS services (World Wide Web Publishing Services) to successfully replace the old DLLs. After the new files are copied into their respective destinations, both the MOVEit Transfer and IIS services should be restarted.
The table below provides information about affected versions and their corresponding fixes:
|Affected Version||Fixed Version (Drop-In DLLs)||Documentation||Release Notes|
|MOVEit Transfer 2020.1.6 (12.1.6) or later||MOVEit Transfer 2020.1.11 (12.1.11)||Download the patch at the link in the Fixed Version column and see the readme.txt file in the zip file for instructions||MOVEit Transfer 2020.1.11 Release Notes|
|MOVEit Transfer 2020.0.x (12.0.x) or older||Must upgrade to a supported version||See MOVEit Transfer Upgrade and Migration Guide||N/A|
To implement the fix, please follow these steps:
- Verify that you are using MOVEit Transfer 2020.1.6 (12.1.6) or a later version of 2020.1 (12.1). You can download the installer for MOVEit Transfer 12.1.6 here.
- Stop all services and close the Config utility.
- Unzip the file provided at the URL mentioned in the above table.
- Consult the instructions in the README.txt file to determine the correct locations to place each file.
- Restart the MOVEit services.
In conclusion, the CVE-2023-36934 SQL injection vulnerability in the MOVEit Transfer solution could potentially allow unauthenticated attackers to gain unauthorized access to the database and run any code they want. This is a critical security flaw that needs to be addressed immediately.
Fortunately, there are steps that can be taken to fix this vulnerability. First, it is recommended to update to the latest version of MOVEit Transfer, which includes a security update addressing this vulnerability. Additionally, it is important to follow best practices for secure coding and database management to prevent similar vulnerabilities from occurring in the future.
Overall, it is crucial for organizations to take proactive steps to protect their systems and data from security threats. By staying up-to-date with security updates and following best practices, organizations can minimize the risk of vulnerabilities like CVE-2023-36934 and ensure the safety and security of their data.