Since the initial breach and data loss discovery Progress has been going through multiple security audits and reviews in an attempt to shore up security in the MOVEit platform. The challenge is that each new run through seems to find another critical issue which can be leveraged by attackers. In the most recent case, the vulnerabilities were found by HackerOne and Trend Micro’s Zero Day Initiative. These were then responsibly reported to Progress so that a patch could be developed and deployed. Overall, Progress is doing the right thing here to get on top of security, it just seems that development of the application might not have followed a good development security policy. The number of SQL injection flaws and unauthenticated ones at that, is shocking. A solid development security practice with code review and vulnerability scanning of new versions before they are released should have found many of these new flaws and prevented them from being accessible to attackers in the wild.
No matter the outcome of the multiple audits and security research teams combing through MOVEit with a fine-toothed comb, Progress is going to take a hit here. There are significant financial and reputational impacts that are going to take an extended amount of time to recover from. These impacts are on top of the costs of reworking the software to ensure it is safe to use. MOVEit could end up on the same list as Kaseya when it comes to cybersecurity insurance, making it one of those programs that nobody wants to have in their environment. This is rather sad when you consider the likely fact that a little proactive work and budgeting could have prevented all of this.
If you are using MOVEit (versions 12.1.10 and prior, 13.0.8 and prior, 13.1.6 and prior, 14.0.6 and prior, 14.1.7 and older, and 15.0.3 and earlier) you should patch now to ensure that threat actors do not have unauthenticated access to your data. The three most recent vulnerabilities are being tracked as CVE-2023-34363 – unauthenticated SLQ injection, CVE-2023-36932 – authenticated SQL injection, CVE-2023-36933 – unhandled exception with termination.
Happy patching