“This is a devastating attack,” watchTowr Labs researchers wrote. “It allows anyone who is able to place a public key on the server to assume the identity of any SFTP user at all. From here, this user can do all the usual operations—read, write, or delete files, or otherwise cause mayhem.”
A separate attack described by the watchTowr researchers allows attackers to obtain cryptographic hashes masking user passwords. It works by manipulating SSH public key paths to execute a “forced authentication” using a malicious SMB server and a valid username. The technique will expose the cryptographic hash masking the user password. The hash, in turn, must be cracked.
The researchers said that the requirements of uploading a public key to a vulnerable server isn’t a particularly high hurdle for attackers to clear, because the entire purpose of MOVEit is to transfer files. It’s also not especially hard to learn or guess the names of user accounts of a system. The watchTowr post also noted that their exploits use IPWorks SSH, a commercial product Progress Software extends in MOVEit.
The Progress Software advisory said: “A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue mentioned above if left unpatched. While the patch distributed by Progress on June 11th successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk.”
The post advised customers to ensure inbound RDP access to MOVEit servers is blocked and to restrict outbound access to known trusted endpoints from MOVEit servers. A company representative declined to say if that component was IPWorks SSH.
The vulnerability affects MOVEit Transfer versions:
- 2023.0.0 before 2023.0.11
- 2023.1.0 before 2023.1.6
- 2024.0.0 before 2024.0.2
Fixes for 2023.0.11, 2023.1.6, and 2024.0.2 are available here, here, and here, respectively. MOVEit users can check the version they’re running using this link.
Given the damage resulting from the mass exploitation of last year’s MOVEit vulnerability, it’s likely this latest one could follow a similar path. Affected admins should prioritize investigating if they’re vulnerable ASAP and respond appropriately. Additional analysis and guidance is available here and here.
