WARNING: CRITICAL AUTHENTICATION BYPASS IN PROGRESS MOVEIT SOFTWARE, PATCH IMMEDIATELY!
CVE-2024-5805 :CVSS 9.1(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVE-2024-5806 :CVSS 9.1(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
Sources
https://community.progress.com/s/article/MOVEit-Gateway-Critical-Security-Alert-Bulletin-June-2024-CVE-2024-5805
https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806
Risks
Progress has issued two advisories for authentication bypass vulnerabilities in Progress MOVEit Transfer and Gateway products. These vulnerabilities could allow an unauthorized actor to gain access to the server. Unauthorized access could be used to further compromise your environment and deploy ransomware.
CVE-2024-5805 and CVE-2024-5806 are rated as CRITICAL with HIGH impact on the CIA triad.
A Proof of Concept (POC) exploiting these vulnerabilities is available. Shadowserver has reported seeing active scanning for this vulnerability.
Authentication bypass vulnerabilities such as CVE-2024-5805 and CVE-2024-5806 are often quickly weaponized by ransomware actors as seen with previous vulnerabilities in MOVEit software.
Description
CVE-2024-5805 is an authentication vulnerability in the Progress MOVEit Gateway SFTP module. Similarly CVE-2024-5806 is an authentication vulnerability in the Progress MOVEit Transfer SFTP module.
Both vulnerabilities result in an authentication bypass allowing attackers to gain access to the system without valid credentials.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
If immediate patching is not possible in your environment, Progress has described mitigation steps in their advisory.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/
https://www.rapid7.com/blog/post/2024/06/25/etr-authentication-bypasses-in-moveit-transfer-and-moveit-gateway/
https://x.com/Shadowserver/status/1805676078620401831
https://www.cert.be/en/advisory/warning-critical-actively-exploited-unauthenticated-remote-code-execution-0-day