Understanding the MOVEit Transfer Vulnerability: Its impact on enterprises and your data.
Introduction:
If you are in Information Security, IT or Networking chances are you have heard of the latest MOVEit Transfer vulnerabilities (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708) that are making headlines. Initially reported on May 31st this vulnerability has a large impact on many companies around the world. The MOVEit software is susceptible to SQL injection that allows an attacker access to the MOVEit Transfer database. The attack happens when SQL commands are injected into a vulnerable endpoint over HTTP or HTTPS causing the application to execute the commands against the database. It has been reported that this vulnerability is actively being exploited and has been seen since May causing compromise to companies in many different sectors. The vulnerability in the MOVEit Transfer software goes as far back as version 2021.0.6 (13.0.6).
The widespread use of the software and the significance of the vulnerability puts many companies at risk. Many companies use this software and there have been attacks against many large companies in both the public and private sectors. This puts the companies and their customers at risk.
In this blog post I want to talk about the MOVEit transfer software, how it might affect you, and what can be done to mitigate it. I will try to simplify the tech speak for those readers that might not have a background in Information Security.
Before we dive into the heart of this vulnerability, I want to explain what certain terms mean so that as I dig deeper it might help everyone understand a little bit more of what is going on. If you are a veteran in the cyber security space feel free to skip ahead.
What is SQL?
SQL is an acronym for Structured Query Language, it's a programming language for structuring and storing data. The SQL programming language is used to create databases that store all kinds of information. Using SQL makes storing and retrieving data easy, SQL servers are used to drive applications and web services. Some examples of what might be stored in a SQL database is user accounts, user profiles, financial data and anything else that needs to be stored in a structured manner. One example of how a database might drive a web application is when you create a new Instagram account or Snapchat account that user information has to be stored somewhere and a database is the place to store it.
To help better illustrate how a database functions, think of a database as a library full of books that all store data. We use the dewey decimal system to make it easier to find and retrieve the books we want to read in a systematic way. When we are done with the book it is stored in its bookshelf location using the dewey decimal system to find the proper location.
What is HTTP and HTTPS?
HTTP is the HyperText Transfer Protocol, this is a structured way to transmit data between systems. Just like SQL is a structured way of storing data we need to have a way to send that stored data to the requester. The HTTP protocol was developed for this purpose and a more secure version of the protocol was developed to encrypt and protect the data when it's in transit. The difference between HTTP and HTTPS is HTTPS wraps encryption around the HTTP protocol making it harder for people to listen in on the data conversation.
If we think of a room full of people who want to exchange information, each person is a database that needs to communicate to another person in the room. Let’s say two of these people who have never met start out by introducing themselves using the English language. Once they agree on how they will communicate and they have identified each other they can start to say what they want to say to each other.
Let's say that those same two humans want to speak privately in the same room full of people. They would need to agree upon another language or a way of scrambling the words before speaking to each other. There would need to be an agreed upon method to unscramble those words so that the information is understandable by the involved parties. These methods are a simplified explanation of what happens when systems use HTTP to communicate.
Want to read more about SQL or HTTP/s hop on over to Wikipedia where there is more information on these subjects.
Overview of MOVEit:
The MOVEit Transfer and MOVEit Cloud from Progress, is described as:
“MOVEit provides secure collaboration and automated file transfers of sensitive data and advanced workflow automation capabilities without the need for scripting. Encryption and activity tracking enable compliance with regulations such as PCI, HIPAA and GDPR”
MOVEit Transfer is used by many companies worldwide, due to its compliance and the security built into the software is used in many sectors of business such as healthcare, finance, government and manufacturing. Since so many industries use the software to transfer sensitive data it makes this vulnerability significant and high risk to personal data.
Unveiling the Vulnerability:
Progress initially announced a vulnerability in the MOVEit Transfer and MOVEit Cloud software on May 31st 2023. While this was their official announcement of CVE-2023-34362 other sources saw active exploitation earlier on May 27, 2023. In the coming weeks since the initial announcement two more vulnerabilities have been released CVE-2023-35036, CVE-2023-35708 all of which are SQL injection vulnerabilities.
The three MOVEit vulnerabilities identified are SQL injection vulnerabilities that allow an attacker to create webshells and to steal data that can be sensitive in nature. Depending on the company or government entity this could potentially impact the general public.
This vulnerability is rated as a critical vulnerability, when vulnerabilities are discovered they are assessed and given what's called a CVSS score. The CVSS score is calculated off of several factors including Base, Temporal and Environmental metrics. These scores are on a scale from 0 - 10 with 10 being the highest severity.
Base metrics
The Base score is the metric enterprises rely upon most. IT deals with the inherent characteristics of a vulnerability -- that is, the ones that don't change over time or due to a user's environment. It's made up of the following two sets of metrics:
Exploitability metrics, which include the following:
Attack Vector.
Attack Complexity.
Privileges Required.
User Interaction.
Impact metrics, which include the following:
Confidentiality Impact.
Integrity Impact.
Availability Impact.
Temporal metrics
The Temporal score measures aspects of the vulnerability according to its current status. It represents properties of a vulnerability that can change over time, such as the release of an official patch.
Temporal scoring also includes the Report Confidence metric, which measures the following:
The degree of confidence in the existence of the vulnerability.
The credibility of the known technical details demonstrating that a vulnerability is both real and exploitable.
These metrics can decrease or increase the Base score -- for example, if a patch or workaround becomes available or the vendor validates a vulnerability.
Temporal values include the following:
Exploit Code Maturity.
Remediation Level.
Report Confidence.
Environmental Metrics:
The CVSS system's Environmental metrics let an organization refine the Base score to reflect its own environment by measuring the severity of the vulnerability. This score can be adjusted for its impact on individual systems.
Environmental metrics provide real context for vulnerabilities within an organization by considering the following factors:
Business criticality of the asset.
Identification of mitigating controls.
Use of the asset in question.
The entire list of Environmental metric categories consists of the following:
Collateral Damage Potential.
Target Distribution.
Confidentiality Requirement.
Integrity Requirement.
Availability Requirement.
If we take a look at the national vulnerability database we can see that two of the three vulnerabilities are rated as critical.
CVE-2023-34362 - CVSS 9.8
CVE-2023-35036 - CVSS 9.1
What this all means is we need to patch and mitigate these vulnerabilities as soon as we can, due to the widespread use of the software and the potential loss of sensitive customer data the longer we wait the bigger the impact will be.
Technical Details:
Now that we have given an overview of what these vulnerabilities mean let's dive a little deeper into the technical aspects.
All three of the mentioned vulnerabilities are all SQL injection vulnerabilities that can lead to information disclosure and even code execution.
What does this mean and what is SQL injection?
SQL injection is a process where the attacker tricks the application into executing sql code against a database. This can lead to retrieving data from the database that potentially could be sensitive or at times even executing code that gives the attacker access to the server itself. This is a simplified version of the SQL attack if you want to learn more read this Wikipedia post.
If an attacker can craft a sql injection that the server executes they can then grab sensitive data from the database, they might be able to create a web shell on the database server that would allow them to potentially connect to the network or they could also alter or delete data from the database.
If you are new to security you might be asking yourself how does this happen? The biggest reason that an application is vulnerable to sql injection is due to the lack of sanitizing the data that is posted to an application. If your application doesn’t properly validate the data and fails to strip out the attack code the server would execute the code leading to data leaks and possible system compromise.
To explain how an attacker might leverage a SQL injection to compromise sensitive data let's take a look at an example.
Potential Consequences:
The potential consequences to an organization that has been compromised can be steep. This can include damage to the brand, customer trust and monetary losses due to downtime or fines. When a vulnerability is found within your organization even if it's small the consequences of not acting on them can be significant.
Outages and downtime from active exploitation, a breach or data loss can impact confidentiality, integrity and availability. If you lose any one of these three pillars then it could impact confidence from the customer in your organization's ability to protect their data. If the data is leaked or stolen this will impact the confidentiality of the data. When an attacker has breached your systems and potentially modified or deleted data the integrity of the systems along with data that resides on them breaks the integrity of that data. Finally if an organization's infrastructure is willingly or as an effect of a breach is taken offline this impacts the availability of their services. Progress made the decision to take their MOVEit cloud offering offline temporarily which caused customer access to be cut off for a period of time. When the systems are down people can’t do their work which can result in lost time, money and confidence.
Patching and Mitigation:
Progress, the company that developed MOVEit Transfer and several other products, has issued several different patches and guidance on how to mitigate these vulnerabilities. You can find the patches along with the process for installing them at the company's support page.
Progress has made available several patches to address the various versions that you might be running. There is a full installer or a DLL drop-in so depending on your comfort level you can go either direction. There are also full installation instructions that will walk you through the entire process.
The company has put out instructions on how to mitigate the attacks against vulnerable systems in case you aren’t able to immediately update. This involves blocking all access HTTP and HTTPS to the vulnerable MOVEit web application. At a bare minimum it might be in your best interest to block external access to the systems until patches can be deployed.
Best Practices:
As software becomes more complex the chances that bugs will be introduced are high. Establishing some best practices will help you better secure your customer’s data.
Few ideas for best practices include:
An up to date inventory of your assets
This will allow you to understand what is deployed within your organization so that you can monitor and update software as patches are put out.
A strong vulnerability management program
Ongoing scanning, subscriptions to vendor patching list and other related feeds
A defined patching lifecycle that accounts for regular patches and emergency patches
Regular patching will catch a lot of the vulnerabilities that the vendor knows about
Being able to react in a quick manner to deploy emergency patches
Regular testing and auditing of systems and infrastructure
Continual scanning of the infrastructure looking for out dated or vulnerable software
If you develop your own software, testing and understanding of 3rd party libraries that might introduce vulnerabilities
It’s important to test your software to look for bugs introduced into the software before deployment
It’s also important to know the 3rd party libraries and if they are going to introduce vulnerabilities into your software
A clearly documented and implemented Security Incident Response program
Being able to react to breaches compromises or to rally the troops when a large vulnerability is found will help resolve the issue in a quick manner
Future Considerations:
The MOVEit transfer vulnerability is nothing new, we see more and more massive vulnerabilities such as log4j in the news. This specific vulnerability isn’t going to change the cybersecurity landscape, it just adds to the growing number of critical vulnerabilities affecting large numbers of companies. The lessons we see from this incident are the same that we have been seeing for years and the only way to reduce our risk and better protect our customers data is to actively patch our systems. What might seem to be an acceptable risk to a company isn’t viewed the same for those customers whose data was lost due to lack of proper patching procedures.
Conclusion:
In conclusion the MOVEit vulnerability is a large one that continues to highlight the need for a solid vulnerability management program. It’s not enough to say you have a program but to actually use the programs. There can be a balance between prioritizing features and putting out new products with managing systems and making sure they have the latest patches in place.
Part of a strong vulnerability management program is understanding the software that is deployed within your organization and actively monitoring announcements of vulnerabilities. Knowing about the vulnerabilities is only the first step but actively patching systems, specifically systems that have high or critical vulnerabilities will help reduce the risks and make it a harder target for attackers looking to steal data.
Security today is as important if not more important than in the past, more services are going online and the data associated with those services are digitally stored. To help protect the data and the organization as a whole, putting proper security measures in place is more important today than ever.
Want to read more?
Progress’s Community page for the MOVEit vulnerability
NIST site listing all the Progress vulnerabilities
Detailed analysis of the MOVEit Transfer vulnerability by Huntress
