Attackers appear to be pounding away at a couple of critical bugs that Progress Software disclosed this week in its MOVEit file transfer application, with nearly the same ferocity as they did the zero-day flaw the company disclosed almost exactly a year ago.
While patches are available for the new flaws, the big question now for affected organizations is whether they can apply them quickly enough to beat adversaries targeting their systems, especially with a proof-of-concept exploit available in the wild.
Patching Alone Is Insufficient Even those that might have already applied updates have more work to do because the original patch that Progress issued for one of the flaws does not mitigate new issues that the software maker discovered after the patch release.
The new MOVEit Transfer vulnerabilities are both improper authentication issues in the SFTP module.
They allow an attacker to potentially impersonate any user on an affected instance and take control of it.
One of the flaws, tracked as CVE-2024-5806, affects MOVEit Transfer versions from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, and from 2024.0.0 before 2024.0.2.
The other, identified as CVE-2024-5805, affects MOVEit Gateway: 2024.0.0.
When Progress first disclosed CVE-2024-5806 on June 25, the company assigned the flaw a medium-severity score of 7.4 out of a maximum possible 10 on the CVSS scale.
Progress quickly upgraded that score to 9.1 after researchers at watchTowr discovered a vulnerability in a third-party component used in MOVEit Transfer.
Progress described the issue as introducing new risks to organizations, including those that might have already applied the patch for CVE-2024-5806.
In an update to its original advisory, Progress urged affected organizations to install the patch and also block public inbound RDP access to MOVEit Transfer servers and limit outbound transfers to only known and trusted endpoints.
An Internet scan that Censys conducted on June 25 unearthed some 2,700 MOVEit Transfer instances online, most of them in the US. Internet scanning entity ShadowServer, which reported observing exploit attempts targeting CVE-2024-5806 almost immediately after Progress disclosed the flaw, identified some 1,800 instances online as of June 27.
In theory, an actor would need to identify an unpatched MOVEit Transfer instance and know a valid username for accessing the service, she says.
The new flaws come a year after Progress disclosed CVE-2023-34362, a SQL injection zero-day vulnerability in MOVEit Transfer that ranked as one of the most widely exploited flaws of 2023.
The Cl0p ransomware group, which claimed credit for discovering the flaw, was among the many that exploited it with devastating affect last year.
Affected organizations cannot afford to delay given how widely they are being targeted, says Mike Walters, president and co-founder of Action1.
Austin says CVE-2024-5806 is somewhat more complex than the SQL injection bug in MOVEit Transfer that Cl0p exploited throughout 2023.
Instance administrators should still take the new flaw very seriously and follow mitigation guidance provided by Progress Software, she says.
At this time, it seems unlikely that the exploitation of this vulnerability will be as widespread as last year's massive campaign exploiting CVE-2023-34362, says Paul Prudhomme, principal security analyst at SecurityScorecard.
Prudhomme reiterates that patching alone is not sufficient against vulnerabilities such as CVE-2024-5806.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 27 Jun 2024 17:40:08 +0000