MOVEit mayhem 3: “Disable HTTP and HTTPS site visitors instantly”

Replace. Progress Software program has now examined and published a patch for the “irresponsibly disclosed” vulnerability (CVE-2023-35708) described under. Flip off net entry to MOVEit Switch till you’ve utilized this newest patch. [2023-06-17-19:00:00Z]

But extra MOVEit mayhem!

“Disable HTTP and HTTPS site visitors to MOVEit Switch,” mentioned Progress Software program, and the timeframe for doing so was “instantly”, no ifs, no buts.

Progress Software program is the maker of file-sharing software program MOVEit Switch, and the hosted MOVEit Cloud various that’s primarily based on it, and that is its third warning in three weeks about hackable vulnerabilities in its product.

On the finish of Might 2023, cyberextortion criminals related to the Clop ransomware gang have been discovered to be utilizing a zero-day exploit to interrupt into servers operating the MOVEit product’s net front-end.

By sending intentionally malformed SQL database instructions to a MOVEit Switch server through its net portal, the criminals might entry database tables while not having a password, and implant malware that allowed them to return to compromised servers in a while, even when they’d been patched within the meantime.

The attackers have apparently been stealing trophy firm information, akin to worker payroll particulars, and demanding blackmail funds in return for “deleting” the stolen information.

We defined, again firstly of June 2023, find out how to patch in opposition to this bug (CVE-2023-34362), and what you would search for in case the crooks had already paid you a go to:

Second warning

That warning was adopted, final week, by an replace from Progress Software program.

Whereas investigating the zero-day gap that they’d simply patched, Progress builders uncovered related programming flaws elsewhere within the code (CVE-2023-35036).

The corporate due to this fact printed an additional patch, urging prospects to use this new replace proactively, assuming that the crooks (whose zero-day had simply been rendered ineffective by the primary patch) would additionally keenly be in search of different methods to interrupt again in:

Unsurprisingly, bugs of a feather typically flock collectively, as we defined on this week’s Bare Safety podcast:

[On 2023-06-09, Progress put] one other patch out to cope with related bugs that, so far as they know, the crooks haven’t discovered but (but when they give the impression of being arduous sufficient, they may).

And, as bizarre as that sounds, whenever you discover {that a} specific a part of your software program has a bug of a specific kind, you shouldn’t be stunned if, whenever you dig deeper…

…you discover that the programmer (or the programming staff who labored on it on the time that the bug you already find out about acquired launched) dedicated related errors across the identical time.

Third time unfortunate

Effectively, lightning struck the identical place for the third time in fast succession.

The third time, it appears as if somebody carried out what’s recognized within the jargon as a “full disclosure” (the place bugs are revealed to the world concurrently to the seller, thus giving the seller no respiratory room to publish a patch proactively), or “dropping an 0-day”.

Progress reported:

At the moment [2023-06-15], a third-party publicly posted a brand new [SQL injection] vulnerability. We’ve got taken HTTPS site visitors down for MOVEit Cloud in gentle of the newly printed vulnerability and are asking all MOVEit Switch prospects to instantly take down their HTTP and HTTPS site visitors to safeguard their environments whereas the patch is finalized. We’re presently testing the patch and we’ll replace prospects shortly.

Merely put, there was a quick zero-day interval throughout which the brand new vulnerability (CVE-2023-35708) was circulating, however a patch wasn’t but examined and prepared for launch.

As Progress has talked about earlier than, this group of so-called command injection bugs (the place you ship in what should be innocent information that later will get invoked as a server command) can solely be triggered through MOVEit’s web-based portal, utilizing HTTP or HTTPS requests.

Fortuitously, that meant you didn’t have to shut down your whole MOVEit system to mitigate the bugs earlier than patching them, solely web-based entry.

What to do?

Quoting from Progress Software program’s advice document dated 2023-06-15:

Disable all HTTP and HTTPs site visitors to your MOVEit Switch setting. Extra particularly:

  • Modify firewall guidelines to disclaim HTTP and HTTPs site visitors to MOVEit Switch on ports 80 and 443.
  • It is very important be aware that till HTTP and HTTPS site visitors is enabled once more:
    • Customers will be unable to go browsing to the MOVEit Switch net UI.
    • MOVEit Automation duties that use the native MOVEit Switch host won’t work.
    • REST, Java and .NET APIs won’t work.
    • MOVEit Switch add-in for Outlook won’t work.
  • SFTP and FTP/s protocols will proceed to work as regular

Progress Software program’s patch has now been examined and published, so when you’ve utilized the brand new replace you’ll be able to, in concept, flip net entry again on…

…although we’d sympathise when you determined to maintain it turned of for some time longer, simply to make certain, to make certain.