Progress Software Patches Another Critical Flaw in MOVEit Transfer

Posted by Steve Alder

Progress Software has released a service pack to address three recently disclosed vulnerabilities in its MOVEit Transfer software, one of which is rated critical and can be exploited remotely by an unauthenticated user.  According to Progress Software, the vulnerability – CVE-2023-36934 – is a SQL injection flaw that, if exploited, would allow an unauthorized individual to gain access to the MOVEit Transfer database.

A second SQL injection vulnerability has been fixed that could also be exploited to gain access to the MOVEit Transfer database, resulting in modification or disclosure of MOVEit database content. The vulnerability, CVE-2023-36932, is rated high-severity as the attacker would need to be authenticated. The third vulnerability is tracked as CVE-2023-36933 and is also a high-severity flaw. The vulnerability could be exploited to invoke a method that results in an unhandled exception, which would cause the application to terminate unexpectedly.

None of the three vulnerabilities are believed to have been exploited in the wild nor had any proof-of-concept exploits been released at the time of the release of the latest security updates; however, prompt patching is strongly recommended. A vulnerability disclosed in May 2023 – CVE-2023-34362 – was exploited by the Clop ransomware group which allowed the theft of customer data from the MOVEit Transfer database. Following the exploitation of that flaw, Progress Software conducted an audit and found other critical severity flaws, which were also recently patched.

Vulnerable software versions are detailed below along with the fixed versions of the software:

Affected Version Vulnerabilities Fixed Version
MOVEit Transfer 2020.0.x (12.0.x) and older CVE-2023-36932 (High) & CVE- CVE-2023-36934 (Critical) Upgrade required to a supported MOVEit Transfer version
MOVEit Transfer 2020.1.6 (12.1.6) and later CVE-2023-36932 (High) & CVE- CVE-2023-36934 (Critical) MOVEit Transfer 2020.1.11 (12.1.11) – Service Pack
MOVEit Transfer 2021.0.x (13.0.x) and older CVE-2023-36932 (High), CVE-2023-36933 (High), CVE-2023-36934 (Critical) MOVEit Transfer 2021.0.9 (13.0.9)
MOVEit Transfer 2021.1.x (13.1.x) and older CVE-2023-36932 (High), CVE-2023-36933 (High), CVE-2023-36934 (Critical) MOVEit Transfer 2021.1.7 (13.1.7)
MOVEit Transfer 2022.0.x (14.0.x) and older CVE-2023-36932 (High), CVE-2023-36933 (High), CVE-2023-36934 (Critical) MOVEit Transfer 2022.0.7 (14.0.7)
MOVEit Transfer 2022.1.x (14.1.x) and older CVE-2023-36932 (High), CVE-2023-36933 (High), CVE-2023-36934 (Critical) MOVEit Transfer 2022.1.8 (14.1.8)
MOVEit Transfer 2023.0.x (15.0.x) and older CVE-2023-36932 (High), CVE-2023-36933 (High), CVE-2023-36934 (Critical) MOVEit Transfer 2023.0.4 (15.0.4)

There are different routes for fixing the latest trio of flaws depending on whether the May 2023 patch and remediation steps were applied, details of which are available from Progress Software.  Progress Software has also confirmed that it will be releasing service packs on a monthly basis to make it quicker and easier for system administrators to address security issues in the future.

The post Progress Software Patches Another Critical Flaw in MOVEit Transfer appeared first on HIPAA Journal.