最后更新于2024年6月28日星期五17:51:57 GMT

6月25日, 2024, Progress Software published information on two new vulnerabilities in MOVEit Transfer 和 MOVEit Gateway:

  • cve - 2024 - 5806, a critical authentication bypass affecting the MOVEit Transfer SFTP service in a default configuration; 和
  • cve - 2024 - 5805,一个影响MOVEit网关的与sftp相关的关键身份验证绕过漏洞.

Attackers can exploit these improper authentication vulnerabilities to bypass SFTP authentication 和 gain access to MOVEit Transfer 和 MOVEit Gateway.

注意: 6月26日, 2024, Progress Software updated the 咨询 for cve - 2024 - 5806 to state that “A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue.” The same day, the severity rating for cve - 2024 - 5806 was changed from “High” to “Critical.” The 咨询 also now includes two new mitigation recommendations: “Verify you have blocked public inbound RDP access to MOVEit Transfer server(s)” 和 “Limit outbound access to only known trusted endpoints from MOVEit Transfer server(s).“从供应商的沟通和公众话语来看, 概念验证漏洞利用代码 released for MOVEit Transfer on June 25 may have also included a net-new zero-day vulnerability that both Progress Software 和 the third-party library producer had previously been unaware of.

cve - 2024 - 5806 is an improper authentication vulnerability affecting the MOVEit Transfer SFTP service that can lead to authentication bypass; the exploit chain that was publicly released on June 25 also allows for the theft of Windows service account credentials via forced authentication (it’s unclear as of June 26 whether credential theft via forced authentication is part of the original cve - 2024 - 5806 issue or a completely separate new vulnerability that was surprise-disclosed to Progress Software 和 the third-party library producer).

Rapid7研究人员测试了MOVEit Transfer 2023.0.1个实例,在默认配置中似乎容易受到cve - 2024 - 5806的攻击. 截至6月25日, the known criteria for exploitation of the authentication bypass are threefold: that attackers have knowledge of an existing username, 目标帐户可以远程身份验证, 并且SFTP服务被暴露. 攻击者可能会使用用户名来识别有效的帐户. The forced authentication attack can be performed if the host system’s firewall permits egress traffic for protocols that Windows will automatically authenticate over, 例如SMB. Rapid7 recommends installing the vendor-provided patches for cve - 2024 - 5806 on an emergency basis, 无需等待常规补丁周期发生.

值得注意的是, Rapid7 observed that installers for the patched (latest) version of MOVEit Transfer have been available on VirusTotal since at least June 11, 2024. 漏洞细节和概念验证利用代码 都是公开的 截至2024年6月25日,MOVEit Transfer cve - 2024 - 5806. 非盈利安全机构Shadowserver拥有 报告的攻击企图 against their honeypots as of the evening of June 25 (note that honeypot activity does not always correlate to threat activity in real-world production environments).

MOVEit网关cve - 2024 - 5805

根据Progress Software的 咨询, cve - 2024 - 5805 is a critical authentication bypass vulnerability that affects the SFTP feature of the MOVEit Gateway software in version 2024.0.0; earlier versions do not appear to be vulnerable, 哪些可能限制可用的攻击面面积. MOVEit Gateway is an optional component designed to proxy traffic to 和 from MOVEit Transfer instances. A patch is available for cve - 2024 - 5805 和 should be applied on an emergency basis for organizations running MOVEit Gateway.

缓解指导

MOVEit是一个企业文件传输套件, 这使得它成为威胁行为者的理想目标. Since enterprise file transfer software typically holds a large volume of confidential data, 打砸抢攻击者以这些解决方案为目标来勒索受害者. 2023年6月,一个针对MOVEit Transfer的未经验证的攻击链 广泛的利用 Cl0p勒索软件组织. Shodan查询表明大约有1个,000 public-facing MOVEit Transfer SFTP servers 和 approximately 70 public-facing MOVEit Gateway SFTP servers. (请注意,并非所有这些都可能容易受到这些最新cve的攻击.)

MOVEit customers should 应用 vendor-provided updates for both vulnerabilities immediately.

以下版本的MOVEit Transfer易受攻击 cve - 2024 - 5806:

根据供应商指南, customers should ensure they have blocked public inbound RDP access to their MOVEit Transfer server(s), 和 that they are limiting outbound access to only known trusted endpoints from MOVEit Transfer server(s). The 咨询 also notes that “Customers using the MOVEit Cloud environment were patched 和 are no longer vulnerable to this exploit.”

只有MOVEit Gateway 2024.0.0易受cve - 2024 - 5805攻击 供应商咨询. 漏洞是 固定在2024年MOVEit网关.0.1. 提示“MOVEit Cloud不使用MOVEit Gateway”, 因此,MOVEit Cloud的客户不需要采取进一步行动.”

Rapid7客户

InsightVM 和 Nexpose customers can assess their exposure to cve - 2024 - 5805 和 cve - 2024 - 5806 with authenticated vulnerability checks available in the June 25 content release.

更新

2024年6月25日: 利用漏洞的尝试 报道 对“粘蜜罐”. 更新了Rapid7客户语言,以说明InsightVM/ expose检查的一般可用性.

2024年6月26日: We’ve updated the blog to reflect changes in severity 和 guidance in the Progress Software 咨询 for cve - 2024 - 5806. 6月26日, 2024, Progress Software updated the 咨询 for cve - 2024 - 5806 with “A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue.cve - 2024 - 5806的严重等级也从“高”改为“严重”.”

It’s unclear as of June 26 whether the new “credential theft via forced authentication” aspect is part of the original cve - 2024 - 5806 issue or a completely separate new vulnerability that was released publicly before Progress Software or the third-party library producer were able to release fixes or mitigation guidance. 不管, the 咨询 now includes two new mitigation recommendations: “Verify you have blocked public inbound RDP access to MOVEit Transfer server(s)” 和 “Limit outbound access to only known trusted endpoints from MOVEit Transfer server(s)”.

永远不要错过新出现的威胁

第一时间了解最新的漏洞和网络安全新闻.