DIVD-2023-00023 - SQL injection in MOVEit Transfer - CVE-2023-34362
| Our reference | DIVD-2023-00023 |
| Case lead | Alwin Warringa |
| Author | Max van der Horst |
| Researcher(s) | |
| CVE(s) | |
| Product | MOVEit Transfer |
| Versions |
|
| Recommendation | Apply firewall rules to block any HTTP traffic on ports 80 and 443 until patch installment, review and delete any unauthorized users and files, install the provided patch. |
| Status | Closed |
| Last modified | 27 Jul 2023 13:51 CEST |
Summary
Progress has discovered the active exploitation of a SQL injection vulnerability in MOVEit Transfer, a managed file transfer application. This vulnerability is already being picked up by national CERTs and has already been listed by CISA as Known Exploited Vulnerability (KEV). Misuse of this vulnerability could lead to privilege escalation and theft of data.
What you can do
Progress has listed two mitigations and a remediation step. If you cannot immediately patch, make sure to add firewall rules that block HTTP traffic on ports 80 and 443. Additionally, it is wise to review and remove any unauthorized users or files. If you can, install the provided patch immediately.
What we are doing
DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding MOVEit Transfer instances and extracting the version name. Vulnerable parties will receive a notification with remediation steps.
Timeline
| Date | Description |
|---|---|
|
02 Jun 2023- 27 Jul 2023 |
NCSC-NL publishes advisory. |
| 02 Jun 2023 | Vulnerability added to CISA’s Known Exploited Vulnerabilities. |
| 02 Jun 2023 | DIVD starts researching fingerprint. |
| 03 Jun 2023 | DIVD conducts first scan. |
| 03 Jun 2023 | DIVD performs first mailrun. |
| 03 Jun 2023 | First version of this casefile. |
| 15 Jun 2023 | New zero day vulnerability found and published online |
| 03 Jul 2023 | DIVD sent out a second and final round of notifications. |
| 25 Jul 2023 | Case closed. |