www.belgium.be Logo of the federal government

WARNING: CRITICAL AUTHENTICATION BYPASS IN PROGRESS MOVEIT SOFTWARE, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-96
Version: 
1.0
Affected software: 
Progress MOVEit Transfer from 2023.0.0 before 2023.0.11
Progress MOVEit Transfer from 2023.1.0 before 2023.1.6
Progress MOVEit Transfer from 2024.0.0 before 2024.0.2
Progress MOVEit Gateway 2024.0.0
Type: 
Authentication Bypass
CVE/CVSS: 

CVE-2024-5805 :CVSS 9.1(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVE-2024-5806 :CVSS 9.1(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Sources

https://community.progress.com/s/article/MOVEit-Gateway-Critical-Security-Alert-Bulletin-June-2024-CVE-2024-5805
https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806

Risks

Progress has issued two advisories for authentication bypass vulnerabilities in Progress MOVEit Transfer and Gateway products. These vulnerabilities could allow an unauthorized actor to gain access to the server. Unauthorized access could be used to further compromise your environment and deploy ransomware.

CVE-2024-5805 and CVE-2024-5806 are rated as CRITICAL with HIGH impact on the CIA triad.

A Proof of Concept (POC) exploiting these vulnerabilities is available. Shadowserver has reported seeing active scanning for this vulnerability.

Authentication bypass vulnerabilities such as CVE-2024-5805 and CVE-2024-5806  are often quickly weaponized by ransomware actors as seen with previous vulnerabilities in MOVEit software.

Description

CVE-2024-5805 is an authentication vulnerability in the Progress MOVEit Gateway SFTP module. Similarly CVE-2024-5806 is an authentication vulnerability in the Progress MOVEit Transfer SFTP module.

Both vulnerabilities result in an authentication bypass allowing attackers to gain access to the system without valid credentials.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

If immediate patching is not possible in your environment, Progress has described mitigation steps in their advisory.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/
https://www.rapid7.com/blog/post/2024/06/25/etr-authentication-bypasses-in-moveit-transfer-and-moveit-gateway/
https://x.com/Shadowserver/status/1805676078620401831
​https://www.cert.be/en/advisory/warning-critical-actively-exploited-unauthenticated-remote-code-execution-0-day