Vulnerabilities in MOVEit Products

Security

June 26, 2024

This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

Multiple vulnerabilities have been discovered in MOVEit products, which could allow for authentication bypass. Successful exploitation of these vulnerabilities could allow for an attacker to bypass authentication. An attacker could then view, change, or delete data; or create new accounts with full user rights.

Threat Intelligence
Proof of concept code for CVE-2024-5806 has been released in the wild.

Systems Affected

  • MOVEit Gateway versions prior to 2024.0.1
  • MOVEit Transfer versions prior to 2024.0.2, 2023.1.6, and 2023.0.11

Risk
Government:

– Large and medium government entities: High
– Small government entities: Medium
Businesses:

– Large and medium business entities: High
– Small business entities: Medium
Home Users: Low

Recommendations

  • Apply appropriate updates provided by Progress to vulnerable systems immediately after appropriate testing.
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.
  • Use intrusion detection signatures to block traffic at network boundaries.
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References
Progress:

https://community.progress.com/s/article/MOVEit-Gateway-Critical-Security-Alert-Bulletin-June-2024-CVE-2024-5805

https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806

Help Net Security:
https://www.helpnetsecurity.com/2024/06/25/cve-2024-5805-cve-2024-5806/

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5806

Reporting
The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form at www.cyber.nj.gov/report.