CVE-2023-34362: Progress MOVEit Transfer SQL Injection Vulnerability
Updates:
June 13th, 2023: Added CVE identification with templated rule CVE-2023-34362
June 13th, 2023: Added new timeline details
What you need to know:
On May 31, 2023, Progress released a security advisory about a critical vulnerability that could lead to unauthorized access in MOVEit Transfer.
Based on publicly available information, exploitation of the SQL injection vulnerability (CVE-2023-34362) began on May 27, 2023. MOVEit Transfer web applications accessible over the internet were compromised, and a web shell was dropped to facilitate the exfiltration of data.
There are patches available for CVE-2023-34362.
Fastly Next-Gen WAF (NGWAF) customers can protect themselves from this vulnerability by enabling the templated rule CVE-2023-34362
Progress MOVEit Transfer is a managed file transfer (MFT) solution. It is a software platform designed to facilitate the transfer of files between individuals and organizations. A SQL injection vulnerability was discovered in all versions of MOVEit Transfer’s on-premises solution. The vulnerability enables an unauthenticated attacker to gain access to MOVEit’s database. Unpatched systems are susceptible to exploitation over HTTP or HTTPS. According to GreyNoise, scanning activity to discover internet-accessible MOVEit installations started as early as March 3rd, 2023. The first publicly reported exploitation of this vulnerability started in May of 2023.
Timeline:
April 27th, 2022 - Kroll observed activity consistent with MOVEit Transfer exploitation.
March 3rd, 2023 - Earliest scanning activity to discover internet-accessible MOVEit installations, reported by GreyNoise.
May 9, 2023 - Earliest SQL injection attempts on MOVEit Transfer endpoints, observed by Fastly.
May 27th, 2023 - First publicly reported exploitation of the vulnerability, reported by Rapid7.
May 31st, 2023 - Progress released a security advisory.
June 2nd, 2023 - CVE-2023-34362 assigned.
June 5th, 2023 - CL0P Ransomware Gang, also known as TA505, claims responsibility for MOVEit extortion attacks, reported by BleepingComputer.
June 12th, 2023 - Technical analysis and PoC (Proof of Concept) released by Rapid7.
What’s the impact: Attackers exploiting this vulnerability may be able to extract information regarding the database structure and content, execute SQL statements to modify or delete elements within the underlying database. Additionally, after recreating the exploit, Huntress has found that it enables arbitrary code execution. Reports indicate exfiltrated data is being used for ransom.
Digging deeper: Fastly observed SQL injection attempts on MOVEit Transfer endpoints as early as May 9, 2023. In addition, scanning activity picked up substantially after the announcement of CVE-2023-34362 for both SQL injection as well as looking for evidence of the human2.aspx web shell. Microsoft Threat Intelligence has attributed exploitation activity to the Clop ransomware group, which was later confirmed by BleepingComputer, after the group claimed responsibility for the MOVEit Transfer attacks.
What you should do: If your organization is running MOVEit Transfer, you should follow the instructions given in the Progress security advisory. Additionally, you should search for indicators of compromise beyond the initially suggested 30-day window due to reports of active exploitation beyond that time-frame. If you have an NGWAF site configuration specifically for MOVEit Transfer, we encourage you to enable the templated rule for CVE-2023-34362 immediately and configure it to blocking mode.
Further reading:
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
https://www.greynoise.io/blog/progress-moveit-transfer-critical-vulnerability
https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft
https://attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis