|
TLP:CLEAR
MS-ISAC CYBERSECURITY ADVISORY
MS-ISAC ADVISORY NUMBER:
2024-075
DATE(S) ISSUED:
06/25/2024
SUBJECT:
Multiple Vulnerabilities in Progress MOVEit Products Could Allow for Authentication Bypass
OVERVIEW:
Multiple vulnerabilities have been discovered in MOVEit products, which could allow for authentication bypass.
- MOVEit Gateway acts as a proxy between inbound connections from the public network and your internal trusted network.
- MOVEit Transfer is a secure managed file transfer application.
Successful exploitation of these vulnerabilities could allow for an attacker to bypass authentication. An attacker could then view, change, or delete data; or create new accounts with full user rights.
THREAT INTELLIGENCE:
PoC code for CVE-2024-5806 has been released in the wild.
- MOVEit Gateway versions prior to 2024.0.1
- MOVEit Transfer versions prior to 2024.0.2, 2023.1.6, and 2023.0.11
- Large and medium government entities: High
- Small government entities: Medium
- Large and medium business entities: High
- Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in MOVEit products, which could allow for authentication bypass. Details of the vulnerability is as follows:
Tactic: Initial Access (TA0001):
Technique: Exploit Public-Facing Application (T1190):
- An Improper Authentication vulnerability in Progress MOVEit Gateway (SFTP module) allows for Authentication Bypass. (CVE-2024-5805)
- An Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass in limited scenarios. (CVE-2024-5806)
Successful exploitation of these vulnerabilities could allow for an attacker to bypass authentication. An attacker could then view, change, or delete data; or create new accounts with full user rights.
RECOMMENDATIONS:
We recommend the following actions be taken:
- Apply appropriate updates provided by Progress to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
- Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. (M1035: Limit Access to Resource Over Network)
- Use intrusion detection signatures to block traffic at network boundaries. (M1031: Network Intrusion Prevention)
- Safeguard 13.3: Deploy a Network Intrusion Detection Solution: Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
- Safeguard 13.8: Deploy a Network Intrusion Prevention Solution: Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
- Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 13.10: Performing Application Layer Filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
Progress:
https://community.progress.com/s/article/MOVEit-Gateway-Critical-Security-Alert-Bulletin-June-2024-CVE-2024-5805
https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806
Help Net Security:
https://www.helpnetsecurity.com/2024/06/25/cve-2024-5805-cve-2024-5806/
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5806
Multi-State Information Sharing and Analysis Center (MS-ISAC)
Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061
24×7 Security Operations Center
SOC@cisecurity.org – 1-866-787-4722
TLP:CLEAR
www.cisa.gov/tlp
Information may be distributed without restriction, subject to standard copyright rules.
|
