Key Points
TLDR
- This vulnerability (CVE-2024-5806) affects Progress MOVEit servers utilising SFTP and allows attackers to log in as any user, if they can successfully guess their username. Depending on how MOVEit is configured, this could be a trivial step.
- You should identify all instances of Progress MOVEit and apply all available patches as soon as possible.
What is the Progress MOVEit vulnerability (CVE-2024-5806)?
Yesterday on the 25th of June, Progress released information regarding a serious vulnerability which affects their managed file transfer tool MOVEit.
The vulnerability (CVE-2024-5806) affects the SFTP service and would allow an attacker to bypass authentication. Patches were made available earlier in the month and the information regarding CVE-2024-5806 has been under an embargo to allow for customers to patch systems.
In addition to the announcement post by Progress, Watchtowr also released a technical blog post detailing the vulnerability. The researchers at Watchtowr were tipped off (date unknown) that this vulnerability was coming, and also that Progress had an embargo in place to prevent releasing vulnerability information details before the 25th of June.
Once the embargo was lifted, the vulnerability announcement page by Progress was scored as a CVSS 7.4 (High) and described as exploitable in "limited scenarios".
However, following the release of the Watchtowr blog and accompanying proof of concept, Progress have updated the score to 9.1 Critical and dropped the "limited scenarios" caveat. This can be confirmed by viewing the page that was cached by Google:
.png)
Upon reflection, this could be an attempt to downplay the seriousness of the vulnerability - this wouldn't be the first time a vendor had attempted to do so this year.
It's commonplace for defenders to have SLAs to meet, a 'time to fix' target which depends upon how bad a vulnerability is. If vendors try to make themselves look better by claiming the latest vulnerability in their product "isn't that bad", this can only hurt their users, who may take longer to react and give attackers a wider window within which to act. An attacker who has taken time to analyze the patch and discover the vulnerability will know how serious it is, and their time will be focused on exploiting unpatched systems as soon as possible, which makes this type of under-playing of vulnerabilities a dangerous game for vendors to play.
The benefit of the doubt could perhaps be given to Progress on this one, since they have now updated their advisory and amended the CVSS score to 9.1, but a cynic's view would suggest that their hand was forced by Watchtowr's full writeup, and they may not have been so keen had that information not gone public.
What versions of Progress MOVEit are affected by CVE-2024-5806?
CVE-2024-5806 affects several versions of Progress MOVEit, these are:
- from 2023.0.0 before 2023.0.11
- from 2023.1.0 before 2023.1.6
- from 2024.0.0 before 2024.0.2
What do I need to do about CVE-2024-5806 and how can Intruder help?
Identify all Progress MOVEit instances.
Apply the latest patches that are available and monitor the advisory page that Progress have released.
Intruder's Rapid Response has already informed Premium customers of their exposed servers so they can take action as soon as possible.
Additional reading and research
Changelog
26th June 2024 - Initial Post
Ben is a Security Engineer and experienced penetration tester. Previously he worked as a lead consultant at one of the UK's top cyber security consultancies, delivering and leading a wide range of engagements.
Dan heads up the Security team at Intruder. His background is in .NET software engineering, consulting, and penetration testing.
