On May 31, 2023, Progress released a security advisory for their MOVEit Transfer application detailing a SQL injection vulnerability leading to remote code execution. Customers were urged to update to the latest version. This vulnerability, CVE-2023-34362, was believed to have been exploited in the wild as a 0-day dating back at least 30 days. Threat intelligence reports suggested that exploitation activity could be traced back to 2021. The attacks were attributed to the cl0p ransomware gang, involved in several other recent 0-day ransomware campaigns.
The Vulnerability
Three critical areas of difference were found between the vulnerable and patched versions of the code.
The function UserGetUsersWithEmailAddress() was updated from a concatenated string of several arguments to a safer SQL builder utility. This function is reachable from many code paths, including several unauthenticated paths via guestaccess.aspx.
The function SetAllSessionVarsFromHeaders(), along with its caller from the machine2.aspx handler SILMachine2, was removed in its entirety.
In the GetFileUploadInfo() function, a new check was added for the State to be null before using a new decryption helper DecryptBytesForDatabase.
The Path to Exploitation
The investigation found one potential path to exploitation involving an error in the X-siLock-Transaction function's header processing. The function will incorrectly extract headers that end in X-siLock-Transaction, allowing an attacker to trick the function into passing a request onto the machine2.aspx endpoint. With this, an attacker can manipulate the Cookie header and all other X-siLock- headers, potentially bypassing the XHTMLClean() function's cleaning process.
Where to Look
Keep an eye out for unexpected entries in the database tables 'userexternaltokens', 'trustedexternaltokenproviders', and 'hostpermits', as all of these had entries inserted during the exploit process to gain sysadmin access tokens. Additionally, alterations to the 'fileuploadinfo' table were made to obtain Remote Code Execution (RCE), and this table should also be examined for any unusual entries.
Logs of endpoint traffic provide another valuable source of information. Check the following areas for any signs of suspicious activity:
/Logs/DMZ_WebApi.log
/Logs/DMZ_WEB.log
Look for requests made to /guestaccess.aspx and relayed messages to /machine2.aspx.
/Logs/DMZ_ISAPI.log
Look for requests made to /moveitisapi/moveitisapi.dll?action=m2.
Recommended Remediation
To prevent the successful exploitation of the SQLi vulnerability in your MOVEit Transfer environment, we strongly recommend the immediate implementation of the following mitigation measures:
Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment by modifying firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.
Please note that until HTTP and HTTPS traffic is re-enabled:
Users cannot log on to the MOVEit Transfer web UI.
MOVEit Automation tasks that use the native MOVEit Transfer host will not work.
REST, Java, and .NET APIs will not work.
The MOVEit Transfer add-in for Outlook will not work.
These steps may cause temporary inconvenience but are crucial to protecting your system from this critical vulnerability until the appropriate patch can be applied.
How Inception Security Can Help
Inception Security understands that "Cybersecurity is about foresight." We're committed to staying one step ahead despite evolving cybersecurity threats. We can help you understand the vulnerabilities in your systems and guide you on how to secure your digital assets effectively. Whether assessing your current cybersecurity posture or aiding in the swift response to new threats, Inception Security is your partner in building and maintaining a robust cybersecurity defense.
Conclusion
The MOVEit Transfer CVE-2023-34362 vulnerability is a serious threat, offering potential remote code execution through SQL injection. Given its likely exploitation before discovery, immediate action and vigilance are essential to protect your digital environment. With our forward-thinking approach, Inception Security is here to assist you in navigating these complexities and ensuring your systems remain secure in the face of emerging threats.
Remember, "Cybersecurity is about foresight." Stay one step ahead with Inception Security.