MoveIt
Authentication Bypass
Discover the latest critical vulnerabilities in MOVEit Transfer. Learn about CVE...
Threat actors are actively engaged to exploit a critical authentication bypass vulnerability in Progress MOVEit Transfer, shortly after the flaw was made public by the vendor.
MOVEit Transfer is a managed file transfer (MFT) solution utilized in enterprise settings to securely transfer files using protocols such as SFTP, SCP, and HTTP.
These vulnerabilities, notably [CVE-2024-5806](https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806) and [CVE-2024-5805](https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5805), have severe implications for data security across various industries.
This [Threatfeed](https://www.secureblink.com/cyber-security-news) delves into the technical nuances of these vulnerabilities, providing an in-depth understanding of their impact, exploitation mechanisms, and mitigation strategies.
#### Overview of MOVEit Transfer Vulnerabilities
##### CVE-2024-5806: Authentication Bypass Vulnerability
Initially rated with a CVSS score of 7.4, CVE-2024-5806 has been re-evaluated to 9.1, elevating its severity from High to Critical. This vulnerability affects MOVEit Transfer versions from 2023.0.0 before [2023.0.11](https://docs.progress.com/bundle/moveit-transfer-release-notes-2023/page/Whats-New-in-MOVEit-Transfer-2023.html), 2023.1.0 before [2023.1.6](https://docs.progress.com/bundle/moveit-transfer-release-notes-2023_1/page/Whats-New-in-MOVEit-Transfer-2023.1.html), and 2024.0.0 before [2024.0.2](https://docs.progress.com/bundle/moveit-transfer-release-notes-2024/page/Whats-New-in-MOVEit-Transfer-2024.html). The flaw arises from improper error handling in the IPWorks SSH library, allowing attackers to manipulate SSH key data for authentication bypass.
##### CVE-2024-5805: Critical Vulnerability in MOVEit Gateway
CVE-2024-5805, with a CVSS score of 9.1, is a critical vulnerability affecting MOVEit Gateway version 2024.0.0. This vulnerability permits attackers to exploit forced authentication scenarios, enabling them to capture Net-NTLMv2 hashes by connecting to malicious SMB servers.
### Detailed Analysis
#### Newly Identified Vulnerabilities
**CVE-2024-5806 (CVSS 9.1 - Critical)**
- **Affected Product:** MOVEit Transfer
- **Description:** Authentication Bypass
- **Affected Versions:** From 2023.0.0 to 2023.0.11, from 2023.1.0 to 2023.1.6, from 2024.0.0 to 2024.0.2.
**CVE-2024-5805 (CVSS 9.1 - Critical)**
- **Affected Product:** MOVEit Gateway
- **Description:** Authentication Bypass
- **Affected Version:** 2024.0.0
#### Background and Impact
MOVEit Transfer is a managed file transfer (MFT) solution widely used for secure file transfers within and between organizations. The product has a history of critical vulnerabilities, with the [Clop ransomware](https://www.secureblink.com/threat-research/clop-ransomware) exploiting these vulnerabilities in 2023 to steal data from numerous organizations. [MOVEit](https://www.secureblink.com/cyber-security-news/cl0p-ransomware-s-torrent-data-leak-disclosing-mov-eit-s-massive-breach) Gateway is designed to enable safer deployments by acting as a proxy service.
![moveit-dash.webp](https://sb-cms.s3.ap-south-1.amazonaws.com/moveit_dash_186174fbc3.webp)
***Instances of MoveIt Transfer***
The recently identified vulnerabilities have significant implications:
- As of June 25, 2024, 2,700 instances of MOVEit Transfer were observed online, predominantly in the US, UK, Germany, the Netherlands, and Canada.
- The exposure level has remained consistent with previous observations from 2023, highlighting persistent security risks.
### Technical Analysis of CVE-2024-5806
The authentication bypass vulnerability in MOVEit Transfer stems from issues within the IPWorks SSH library. When error handling fails, attackers can manipulate SSH key data to impersonate legitimate users. This flaw enables unauthorized access to sensitive data and systems.
##### Exploitation Mechanics
1. **SSH Key Manipulation**:
Attackers craft malicious SSH key data to bypass authentication checks. The server fails to properly validate the key, granting unauthorized access.
2. **Impersonation Attack**:
By exploiting the manipulated SSH key, attackers can impersonate any user on the server, gaining access to restricted areas and sensitive information.
```python
# Example Code Snippet
def validate_ssh_key(key):
try:
# Error-prone validation process
if not validate(key):
raise InvalidKeyException("Invalid SSH Key")
except InvalidKeyException as e:
log.error("Key validation failed: {}".format(e))
return False
return True
```
In the above code snippet, the `validate_ssh_key` function demonstrates improper handling of SSH key validation, which can be exploited for authentication bypass.
### Technical Analysis of CVE-2024-5805
The critical vulnerability in MOVEit Gateway involves forced authentication scenarios where the server connects to a malicious SMB server. This interaction exposes a Net-NTLMv2 hash, which can be used for further exploitation.
##### Exploitation Mechanics
1. **Forced Authentication**:
Attackers trick the server into authenticating against a malicious SMB server, capturing the Net-NTLMv2 hash.
2. **Hash Exploitation**:
The captured hash can be leveraged to impersonate the server or conduct pass-the-hash attacks, compromising the entire system.
```python
# Example Code Snippet
def connect_to_smb(server, credentials):
try:
# Attempt connection to SMB server
smb_connection = SMBConnection(server, credentials)
smb_connection.authenticate()
except SMBException as e:
log.error("SMB connection failed: {}".format(e))
return False
return True
```
In this code snippet, the `connect_to_smb` function illustrates how forced authentication to a malicious server can expose sensitive credentials.
### Technical Dissection by watchTowr Labs
Researchers from [watchTowr Labs](https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/) provided an in-depth technical analysis of the authentication bypass vulnerabilities:
- **Vulnerability Origin:** Unlike a straightforward SQL injection, this vulnerability arises from the interaction between MOVEit and the IPWorks SSH library, compounded by issues in error handling.
- **Observed Behavior:** During authentication using SSH key pair authentication, the server throws an exception due to illegal characters in the path, indicating mishandled input.
### Exploit Scenarios
#### Forced Authentication Attack
An attacker can exploit this vulnerability by:
1. Supplying a UNC path to a malicious SMB server.
2. The target server attempts to connect, falling back to the less secure Net-NTLMv2 protocol, which can then be exploited to capture authentication hashes.
### Mitigation and Recommendations
To mitigate these vulnerabilities, Progress Software recommends several immediate actions:
1. **Patch Deployment**:
Apply the latest patches for MOVEit Transfer and MOVEit Gateway to mitigate known vulnerabilities.
2. **Restrict RDP Access**:
Block inbound RDP access to MOVEit Transfer to prevent unauthorized remote access.
3. **Limit Outbound Connections**:
Restrict outbound connections to trusted servers only, reducing the risk of forced authentication attacks.
Additionally, users should apply patches as soon as they are available and monitor network traffic for any unusual activity indicating attempted exploitation.
### Exposure Analysis
As of June 25, 2024, approximately 2,700 instances of MOVEit Transfer are online, predominantly in the United States. The majority of these instances are hosted on Microsoft or Amazon autonomous systems, underscoring the widespread usage and potential risk of exploitation.
### Conclusion
The vulnerabilities in MOVEit Transfer and MOVEit Gateway present significant risks to data security. CVE-2024-5806 and CVE-2024-5805 exemplify how flaws in authentication mechanisms can be exploited to gain unauthorized access and compromise sensitive systems. By understanding the technical details and implementing recommended mitigations, organizations can protect themselves against these critical threats.
The identification of these new vulnerabilities in MOVEit Transfer and Gateway underscores the importance of robust cybersecurity measures. Organizations using these products should prioritize applying the recommended mitigations and closely monitor their systems for signs of compromise.
For further details and continuous updates, refer to Progress Software's advisory and security bulletins. Through meticulous evaluation and proactive measures, the integrity and security of critical systems can be maintained.