MOVEit Transfer customers warned to patch new critical flaw


MOVEit Transfer, the software at the center of the recent massive spree of Clop ransomware breaches, has received an update that fixes a critical-severity SQL injection bug and two other less severe vulnerabilities.

SQL injection vulnerabilities allow attackers to craft special queries to gain access to a database or tamper with it by executing code. For these attacks to be possible, the target application must suffer from a lack of appropriate input/output data sanitization.

Progress, the developer of MOVEit Transfer, discovered multiple SQL injection problems in their product that include a critical one tracked as CVE-2023-36934, which can be exploited without user authentication.

“An SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database,” reads Progress’s security bulletin.

“An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content” – MOVEit Transfer advisory

The second SQL injection flaw is identified as CVE-2023-36932 and received a high-severity rating because an attacker could exploit it after authentication.

The two SQL injection security issues impact multiple versions of MOVEit Transfer, including 12.1.10 and older, 13.0.8 and older, 13.1.6 and older, 14.0.6 and older, 14.1.7 and older, and 15.0.3 and older.

A third vulnerability addressed with this patch is CVE-2023-36933, a high-severity problem that lets attackers cause unexpected termination of the program.

This flaw impacts MOVEit Transfer versions 13.0.8 and older, 13.1.6 and older, 14.0.6 and older, 14.1.7 and older, and 15.0.3 and older.

Users of MOVEit Transfer are recommended to upgrade to the versions highlighted in the below table, which address the mentioned vulnerabilities.

Progress adopts security Service Packs

About a month ago, hackers, most notably the Clop ransomware gang, mass-exploited a zero-day vulnerability in the MOVEit Transfer product, tracked as CVE-2023-34362, to steal data from large organizations worldwide.

The software vendor fixed the flaw a few days after its discovery, but it was revealed that the fixes came roughly two years after the first exploitation in the wild had started.

Progress launched a security audit soon after, which led to discovering and patching additional critical-severity flaws.

As the American software company still deals with the massive repercussions of the security incident, it has decided to introduce regular security updates called “Service Packs,” released every month.

As part of this new approach, the software upgrade process is being streamlined, allowing MOVEit Transfer admins to apply fixes quicker and easier than before.



Source link