Overview
Progress MOVEit Transfer contains a critical SQL injection vulnerability in its web application that allows unauthenticated attackers to access or modify the database. The vulnerability exists in versions before 2021.0.6, 2021.1.4, 2022.0.4, 2022.1.5, and 2023.0.1 due to unsanitized input handling. This vulnerability has been actively exploited in the wild and is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. The vulnerability was disclosed on June 2, 2023. CISA has identified CVE-2023-34362 as being exploited and is known to be used in ransomware campaigns.
Technical details
Progress MOVEit Transfer contains an unauthenticated SQL injection vulnerability in the web application. The vulnerability is caused by improper sanitization of user-supplied input, which is directly concatenated into SQL queries. Attackers can exploit this vulnerability by sending specially crafted HTTP requests containing SQL commands to the vulnerable endpoint. The vulnerability requires no authentication, making it particularly severe.
The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation allows unauthenticated attackers to execute arbitrary SQL commands against the MOVEit Transfer database. Attackers can read sensitive data including user credentials, file transfer records, encryption keys, and other confidential information. Additionally, attackers can modify or delete database records, potentially compromising file integrity, altering audit logs, and disrupting service availability. The severity is compounded by the fact that this vulnerability was actively exploited by the Cl0p ransomware group targeting enterprise organizations, leading to large-scale data breaches.
Mitigation and workarounds
Progress Software has released patched versions addressing this vulnerability. Organizations should immediately upgrade to one of the fixed versions. For versions in long-term support (LTS), the minimum required versions are: 2021.0.6 (2021 LTS), 2021.1.4 (2021.1 LTS), 2022.0.4 (2022.0 LTS), 2022.1.5 (2022.1 LTS), and 2023.0.1 (2023.0 LTS). Installation instructions are available in the official Progress security advisory. The following versions include the necessary fixes: 2021.0.6, 2021.1.4, 2022.0.4, 2022.1.5, 2023.0.1.
As temporary workarounds: restrict network access to moveit transfer web application using firewall rules or network segmentation. limit access to trusted ip addresses only until patches can be applied.; disable public internet access to moveit transfer if not required for external users. use vpn or bastion hosts to control access., and implement web application firewall (waf) rules to detect and block sql injection attempts. monitor for suspicious sql syntax in http requests..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
