Last updated at Fri, 28 Jun 2024 17:51:57 GMT

6月25日, 2024, Progress Software发布了MOVEit Transfer和MOVEit Gateway中两个新漏洞的信息:

  • cve - 2024 - 5806, a critical authentication bypass affecting the MOVEit Transfer SFTP service in a default configuration; 和
  • cve - 2024 - 5805, a critical SFTP-associated authentication bypass vulnerability affecting MOVEit Gateway.

攻击者可以利用这些不合理的认证漏洞绕过SFTP认证,访问MOVEit Transfer和MOVEit Gateway.

注意: 6月26日, 2024, Progress Software更新了cve - 2024 - 5806的通知,声明“MOVEit Transfer中使用的第三方组件中新发现的漏洞增加了原始问题的风险.同一天,cve - 2024 - 5806的严重等级从“高”改为“严重”.该建议现在还包括两个新的缓解建议:“验证您已阻止对MOVEit传输服务器的公共入站RDP访问”和“限制仅对来自MOVEit传输服务器的已知可信端点的出站访问”。.” It appears from vendor communications 和 public discourse that the proof-of-concept exploit code 6月25日发布的MOVEit Transfer漏洞可能还包括一个新的零日漏洞,Progress Software和第三方库生产商之前都没有意识到这一点.

cve - 2024 - 5806 is an improper authentication vulnerability affecting the MOVEit Transfer SFTP service that can lead to authentication bypass; the exploit chain that was publicly released on June 25 also allows for the theft of Windows service account credentials via forced authentication (it’s unclear as of June 26 whether credential theft via forced authentication is part of the original cve - 2024 - 5806 issue or a completely separate new vulnerability that was surprise-disclosed to Progress Software 和 the third-party library producer).

Rapid7 researchers tested a MOVEit Transfer 2023.0.1 instance, which appeared to be vulnerable to cve - 2024 - 5806 in the default configuration. 截至6月25日, 利用身份验证绕过的已知标准有三个:攻击者知道现有的用户名, that the target account can authenticate remotely, 和 that the SFTP service is exposed. It’s possible that attackers may spray usernames to identify valid accounts. 如果主机系统的防火墙允许Windows将自动验证的协议的出口流量,则可以执行强制身份验证攻击, 例如SMB. Rapid7建议在紧急情况下安装供应商提供的cve - 2024 - 5806补丁, without waiting for a regular patch cycle to occur.

值得注意的是, Rapid7观察到,至少从6月11日开始,VirusTotal就可以安装最新版本的MOVEit Transfer补丁, 2024. 脆弱性 details 和 proof-of-concept exploit code are publicly available for MOVEit Transfer cve - 2024 - 5806 as of June 25, 2024. Security nonprofit Shadowserver has 报道 exploit attempts (请注意,蜜罐活动并不总是与现实生产环境中的威胁活动相关).

MOVEit Gateway cve - 2024 - 5805

According to Progress Software’s 咨询, cve - 2024 - 5805是一个严重的身份验证绕过漏洞,影响2024版本MOVEit Gateway软件的SFTP特性.0.0; earlier versions do not appear to be vulnerable, which likely limits available attack surface area. MOVEit网关是一个可选组件,旨在代理流量进出MOVEit传输实例. cve - 2024 - 5805有补丁可用,应该在紧急情况下应用于运行MOVEit网关的组织.

缓解指导

Progress MOVEit is an enterprise file transfer suite, which inherently makes it a highly desirable target for threat actors. 由于企业文件传输软件通常持有大量机密数据, smash-和-grab attackers target these solutions to extort victims. In June 2023, an unauthenticated attack chain targeting MOVEit Transfer was 广泛的利用 by the Cl0p ransomware group. Shodan queries indicate that there are approximately 1,000个面向公众的MOVEit Transfer SFTP服务器和大约70个面向公众的MOVEit Gateway SFTP服务器. (Note that not all of these may be vulnerable to these latest CVEs.)

MOVEit客户应立即应用供应商提供的针对这两个漏洞的更新.

The following versions of MOVEit Transfer are vulnerable to cve - 2024 - 5806:

Per the vendor guidance, 客户应确保他们已阻止对其MOVEit传输服务器的公共入站RDP访问。, 并且他们将出站访问限制为仅对来自MOVEit传输服务器的已知可信端点进行访问。. 该公告还指出:“使用 MOVEit Cloud 环境的客户已经打了补丁,不再容易受到此漏洞的攻击.”

Only MOVEit Gateway 2024.0.0 is vulnerable to cve - 2024 - 5805, per the 供应商咨询. 漏洞是 fixed in MOVEit Gateway 2024.0.1. The 咨询 indicates that “MOVEit Cloud does not use MOVEit Gateway, so no further action is needed by MOVEit Cloud customers.”

Rapid7客户

InsightVM和expose客户可以在6月25日发布的内容中使用经过验证的漏洞检查来评估他们对cve - 2024 - 5805和cve - 2024 - 5806的暴露程度.

更新

2024年6月25日: Exploit attempts have been 报道 对“粘蜜罐”. Rapid7 customer language updated to note general availability of InsightVM/Nexpose checks.

2024年6月26日: 我们已经更新了博客,以反映cve - 2024 - 5806的严重性和指导的变化. 6月26日, 2024, Progress Software更新了cve - 2024 - 5806的建议,“MOVEit Transfer中使用的第三方组件中新发现的漏洞增加了原始问题的风险。.” The severity rating for cve - 2024 - 5806 was also changed from “High” to “Critical.”

截至6月26日,尚不清楚新的“通过强制身份验证窃取凭证”方面是原始cve - 2024 - 5806问题的一部分,还是在Progress Software或第三方库生产商能够发布修复或缓解指导之前公开发布的完全独立的新漏洞. 不管, 该建议现在包括两个新的缓解建议:“验证您已阻止对MOVEit传输服务器的公共入站RDP访问”和“限制仅对来自MOVEit传输服务器的已知可信端点的出站访问”。.

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities 和 cybersecurity news.