What is the CVE-2023-34362 MOVEit SQL Vulnerability?
On May 31, 2023, Progress disclosed critical security vulnerability (CVE-2023-34362) in MOVEit Transfer software. This vulnerability has the potential to escalate privileges and grant unauthorized access on affected systems through SQL injection (SQLi) in the MOVEit Transfer web application.
MOVEit Transfer is software developed by Progress Software that provides secure collaboration and automated file transfer for sensitive data and is widely used by many organizations worldwide.
Depending on the underlying database engine (e.g., MySQL, Microsoft SQL Server, or Azure SQL), an attacker can access the structure and content of the database and even execute SQL statements to modify or delete data. It is important to note that these attacks can occur over protocols like HTTP or HTTPS.
Exploitation of this vulnerability has been detected since the end of May 2023. Attackers are using a backdoor known as "human2.aspx." Several researchers, including TrustedSec, have examined this backdoor and identified the following functionalities:
Retrieve a comprehensive list of folders, files, and users within MOVEit.
Download any file stored within MOVEit.
Create an administrator user named "Health Check Service" within MOVEit.
Microsoft Threat Intelligence has attributed the exploitation of this vulnerability to the "Lace Tempest" group, a notorious group known for conducting ransomware operations and operating the Cl0p ransomware leak site.
Key Features
The main features of this vulnerability are as follows:
CVE Identifier: CVE-2023-34362.
Disclosure Date: 05/31/2023.
Affected Software: MOVEit Transfer.
Affected Versions:
Versions prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1).
Vendor Recommendations for CVE-2023-34362
The vendor has issued official recommendations to address CVE-2023-34362 as follows:
Disable all HTTP and HTTPS traffic in the MOVEit Transfer environment.
Remove unauthorized files and user accounts and reset credentials for service accounts.
Apply necessary security patches.
Affected Version | Fixed version | Documentation |
MOVEit Transfer 2023.0.0 (15.0) | ||
MOVEit Transfer 2022.1.x (14.1) | ||
MOVEit Transfer 2022.0.x (14.0) | ||
MOVEit Transfer 2021.1.x (13.1) | ||
MOVEit Transfer 2021.0.x (13.0) | ||
MOVEit Transfer 2020.1.x (12.1) | Special Patch Available | |
MOVEit Transfer 2020.0.x (12.0) or older | MUST upgrade to a supported version | |
MOVEit Cloud | Prod: 14.1.4.94 or 14.0.3.42 Test: 15.0.1.37 | All MOVEit Cloud systems are fully patched at this time. Cloud Status Page |
Verify that unauthorized files and accounts have been removed.
Re-enable HTTP and HTTPS traffic.
Implement continuous monitoring of network, endpoints, and logs for Continuous Indicator of Compromise (IoC). The vendor's official recommendation provides a list of IoCs for reference.
Vulnerability Detection
Several sources, including Palo Alto Networks' Unit42 and TrustedSec, have provided indicators to detect compromise through this vulnerability:
Check for suspicious files recently created in directories like "C:\MOVEitTransfer\wwwroot" and "D:\MOVEitDMZ\wwwroot" or similar. Pay particular attention to files such as "human2.aspx" or files created within a similar timeframe with names like "App_Web_[RANDOM].dll."
Look for pre-compiled DLLs in locations like "C:\Windows\Temp," for example, "erymbsqv\erymbsqv.dll."
Review MOVEit or firewall logs containing significant outbound network transfers from the MOVEit environment.
Examine the MOVEit user database for a user named "Health Check Service."
Analyze active sessions in the MOVEit database for the "Health Check Service" user (note that the discovered backdoor could alter the last login timestamp, so this field may not be reliable for auditing).
Search for web traffic containing any of the following request or response headers: "X-siLock-Comment," "X-siLock-Step1," "X-siLock-Step2," or "X-siLock-Step3."
A YARA rule developed by Florian Ross can help detect backdoors of the known web shell commonly used in this attack.
Review firewall and IIS logs of MOVEit for requests originating from vendor-provided IP addresses associated with IoCs.
As part of their services, Tarlogic proactively monitors their clients' environments and promptly informs, detects, and reports not only this vulnerability but also other critical threats that could significantly impact the security of assets.
Thank you for reading!
Source : https://www.turkhackteam.org/konular/cve-2023-34362-moveit-sql-acigi-nedir.2047113/
Re-enable HTTP and HTTPS traffic.
Implement continuous monitoring of network, endpoints, and logs for Continuous Indicator of Compromise (IoC). The vendor's official recommendation provides a list of IoCs for reference.
Vulnerability Detection
Several sources, including Palo Alto Networks' Unit42 and TrustedSec, have provided indicators to detect compromise through this vulnerability:
Check for suspicious files recently created in directories like "C:\MOVEitTransfer\wwwroot" and "D:\MOVEitDMZ\wwwroot" or similar. Pay particular attention to files such as "human2.aspx" or files created within a similar timeframe with names like "App_Web_[RANDOM].dll."
Look for pre-compiled DLLs in locations like "C:\Windows\Temp," for example, "erymbsqv\erymbsqv.dll."
Review MOVEit or firewall logs containing significant outbound network transfers from the MOVEit environment.
Examine the MOVEit user database for a user named "Health Check Service."
Analyze active sessions in the MOVEit database for the "Health Check Service" user (note that the discovered backdoor could alter the last login timestamp, so this field may not be reliable for auditing).
Search for web traffic containing any of the following request or response headers: "X-siLock-Comment," "X-siLock-Step1," "X-siLock-Step2," or "X-siLock-Step3."
A YARA rule developed by Florian Ross can help detect backdoors of the known web shell commonly used in this attack.
Review firewall and IIS logs of MOVEit for requests originating from vendor-provided IP addresses associated with IoCs.
As part of their services, Tarlogic proactively monitors their clients' environments and promptly informs, detects, and reports not only this vulnerability but also other critical threats that could significantly impact the security of assets.
Thank you for reading!
Source : https://www.turkhackteam.org/konular/cve-2023-34362-moveit-sql-acigi-nedir.2047113/
