Monday, 10 July 2023 10:52

Progress Software’s MOVEit has yet another Unauthenticated SQL Injection Flaw

Written by

Reading time is around minutes.

Last week Progress Software, the company behind MOVEit file transfer software, announced another SQL injection flaw had been identified and patched. This flaw is just the latest in a series of vulnerabilities that have been identified in the application after the Cl0p ransomware group was found to have exploited a different SQL injection flaw to steal data from multiple MOVEit users. The attacks started in late 2022, but the Cl0p group might have been testing different entry points as far back as June 2022.

Since the initial breach and data loss discovery Progress has been going through multiple security audits and reviews in an attempt to shore up security in the MOVEit platform. The challenge is that each new run through seems to find another critical issue which can be leveraged by attackers. In the most recent case, the vulnerabilities were found by HackerOne and Trend Micro’s Zero Day Initiative. These were then responsibly reported to Progress so that a patch could be developed and deployed. Overall, Progress is doing the right thing here to get on top of security, it just seems that development of the application might not have followed a good development security policy. The number of SQL injection flaws and unauthenticated ones at that, is shocking. A solid development security practice with code review and vulnerability scanning of new versions before they are released should have found many of these new flaws and prevented them from being accessible to attackers in the wild.

No matter the outcome of the multiple audits and security research teams combing through MOVEit with a fine-toothed comb, Progress is going to take a hit here. There are significant financial and reputational impacts that are going to take an extended amount of time to recover from. These impacts are on top of the costs of reworking the software to ensure it is safe to use. MOVEit could end up on the same list as Kaseya when it comes to cybersecurity insurance, making it one of those programs that nobody wants to have in their environment. This is rather sad when you consider the likely fact that a little proactive work and budgeting could have prevented all of this.

If you are using MOVEit (versions 12.1.10 and prior, 13.0.8 and prior, 13.1.6 and prior, 14.0.6 and prior, 14.1.7 and older, and 15.0.3 and earlier) you should patch now to ensure that threat actors do not have unauthenticated access to your data. The three most recent vulnerabilities are being tracked as CVE-2023-34363 – unauthenticated SLQ injection, CVE-2023-36932 – authenticated SQL injection, CVE-2023-36933 – unhandled exception with termination.
Happy patching

Read 534 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.