CVE-2024-5806: Authentication Bypass Vulnerability in Progress MOVEit Transfer

Note: Exploitation of this vulnerability remains highly likely, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.

An improper authentication vulnerability, being tracked as CVE-2024-5806, has been discovered in Progress MOVEit Transfer (SFTP module). This vulnerability has a CVSS score of 9.1 (Critical) with a high potential for exploitation. If exploited, this vulnerability could allow an attacker to bypass authentication by exploiting improper handling of SSH key data. By manipulating the SSH public key authentication process, an attacker could gain unauthorized access to the system. Exploiting this vulnerability could enable a threat actor to impersonate any user on the server, leading to unauthorized data access and potential further exploitation. This includes access to sensitive files and possible lateral movement within the network.

This issue affects MOVEit Transfer versions from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.

A patch was distributed to Progress customers via email on June 11, 2024, the vulnerability was initially reported with a CVSS score of 7.4 but was updated on June 25 with a CVSS score of 9.1.00

Analysis

A proof of concept (POC) script and technical writeup have been made public by Watchtowr. The writeup details include the technical aspects of the vulnerability and provide the Python exploit code in a GitHub repo.

POC: https://github.com/watchtowrlabs/watchTowr-vs-progress-moveit_CVE-2024-5806

Writeup: https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/

The Kroll Cyber Threat Intelligence (CTI) team assesses that this vulnerability is likely to already be exploited.

Additional Third-Party Vulnerability

According to the Progress advisory: "A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue mentioned above if left unpatched. While the patch distributed by Progress on June 11th successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk. Please work with your internal teams to take the following steps to mitigate the third-party vulnerability.

Steps customers should take to mitigate the third-party vulnerability:

• Verify you have blocked public inbound RDP access to MOVEit Transfer server(s)
• Limit outbound access to only known trusted endpoints from MOVEit Transfer server(s)

When the third-party vendor releases a fix, we will make that available to MOVEit Transfer customers."

It is currently unknown which third-party software is affected by this vulnerability.

Previous MOVEit Transfer Vulnerability Activity

While the previous MOVEit vulnerability, that was widely exploited in 2023 (tracked as CVE-2023-34362), is not connected to CVE-2024-5806 , it is crucial to note that MOVEit, along with other file transfer applications, are a high priority target for threat actors. These servers often house highly sensitive information and data, so threat actors will move quickly to exploit vulnerabilities.

Activity connected to MOVEit that we tracked in 2023:

• In May 2023, Kroll received multiple reports that a zero-day vulnerability in MOVEit Transfer was being actively exploited to gain access to MOVEit servers. Kroll has observed threat actors using this vulnerability to upload a web shell, exfiltrate data and initiate intrusion lifecycles. This vulnerability may also enable a threat actor to move laterally to other areas of the network. We provided a deep dive of threat actor activity here.
• On June 5, 2023, the Clop ransomware group publicly claimed responsibility for exploitation of a zero-day vulnerability in the MOVEit Transfer secure file transfer web application (CVE-2023-34362).  Subsequent Kroll analysis has confirmed that threat actors are using this vulnerability to upload a web shell and exfiltrate data. However, Kroll forensic review has also identified activity indicating that the Clop threat actors were likely experimenting with ways to exploit the MOVEit vulnerability as far back as 2021.
• In July 2023, our incident response experts determined that the vast majority of Kroll’s global MOVEit investigations leveraged one of 2 data exfiltration methods. The primary data exfiltration method (Method 1) consisted of utilizing the dropped web shell to inject a session or create a malicious account, after which threat actors were able to reauthenticate and use the MOVEit application itself to transfer files. However, in around 5% of cases, Kroll identified a distinctly different methodology (Method 2) that passes variables to the web shell and utilizes MOVEit API calls for file enumeration and data exfiltration, requiring a separate approach for analysis.

If your organization is unpatched, you are more susceptible to an attack and should patch immediately. If you’d like to understand your exposure or assess your potential risk, reach out to a Kroll expert today via our 24x7 hotlines or contact form.