Facepalm: Progress Software disclosed a new critical vulnerability in its popular managed file transfer tool Moveit. The disclosure comes almost exactly a year after a similar incident put thousands of customers and millions of netizens at risk of SQL injection attacks.
Progress Software Corporation recently published a bulletin about a new security vulnerability in Moveit. The enterprise-focused file transfer application is affected by a critical flaw that cyber-criminals could easily exploit. Progress advised customers to install the most recent version of the software to avoid a new internet-wide security disaster.
The flaw (CVE-2024-5806) has a severity rating of 9.1 out of 10. It was located inside Moveit Transfer's SFTP module, a third-party component of the software. The SSH File Transfer Protocol is one of the many file transfer and management standards supported by Moveit, together with SCP and HTTPS.
This vulnerability provides a vector for hackers and cyber-criminals to bypass user authentication and gain access to sensitive data. WatchTowr Labs security analysts said that hackers could exploit the flaw in two scenarios.
The first, most vicious, and "devastating" attack would require bad actors to use a "null" string as a public encryption key during the authentication process, which could lead to a successful login as an existing, trusted user on the vulnerable server.
Progress just un-embargoed a very closely guarded auth bypass in MOVEit Transfer's SFTP mechanism - CVE-2024-5806.
– watchTowr (@watchtowrcyber) June 25, 2024
We were lucky enough to receive a tip-off :-) Enjoy our analysis, we had a lot of fun.https://t.co/GLoCIAki9w
The other scenario requires the attackers to obtain the cryptographic hashes related to existing user passwords. Using the hashes, they could manipulate SSH public key paths to execute a "forced authentication." The hackers must crack them before using the information for a malicious login attempt.
Progress said that versions 2023.0, 2023.1, and 2024.0 of Moveit are vulnerable to CVE-2024-5806, and customers need to upgrade to the latest patched version of the program "immediately." The company also advised customers to block public inbound RDP access to Moveit Transfer servers or limit outbound access to known trusted endpoints.
Recent scans provided by the EU-funded Shadowserver Foundation show that more than 1,800 customers use Moveit worldwide. A few hours after the public bulletin, hackers were already racing to exploit the flaw to compromise major organizations and enterprise ventures.
It's not the first time Progress Software has been in a serious security situation. Moveit suffered a similar crisis in 2023 when hackers exploited a critical vulnerability to compromise more than 2,300 organizations, including Shell, British Airways, the US Department of Energy, and Ontario's government birth registry.