Flash Notices

Flash Notice: Patch NOW - Three New MOVEit Transfer Vulnerabilities

Written by Marketing | Jul 10, 2023 2:36:49 PM

overview

Three new vulnerabilities, tracked as CVE-2023-36934, CVE-2023-36932, and CVE-2023-36933, were found in Progress Software’s MOVEit File Transfer software. These new vulnerabilities come on the heels of several critical SQL injection flaws found in the software last month.  

CVE-2023-36934 is a critical SQL injection vulnerability in the MOVEit Transfer web application that can be exploited by an unauthenticated user. According to Progress’s advisory, an attacker could gain unauthorized access to the MOVEit Transfer database by submitting a crafted payload to a MOVEit Transfer application endpoint.  

CVE-2023-36932 is a high-severity SQL injection vulnerability that can be exploited by an attacker after authentication. Both CVE-2023-36934 and CVE-2023-36932 impact several versions of MOVEit Transfer:  

  • 12.1.10 and older 
  • 13.0.8 and older 
  • 13.1.6 and older 
  • 14.0.6 and older 
  • 14.1.7 and older 
  • 15.0.3 and older 

The final vulnerability, CVE-2023-36933 is a high-severity flaw that allows attackers to terminate the program unexpectedly. The vulnerability impacts the following MOVEit Transfer versions:  

  • 13.0.8 and older 
  • 13.1.6 and older 
  • 14.0.6 and older 
  • 14.1.7 and older 
  • 15.0.3 and older 

Last month, Clop exploited a MOVEit File Transfer zero-day vulnerability (CVE-2023-34362). The threat actor had been experimenting with exploitation of the vulnerability for two years due to the vulnerability not being fixed until a few days after its discovery. The new vulnerabilities have not been exploited in the wild, but Avertium and Progress Software recommend that all users apply the appropriate patches as soon as possible.  

  

   

avertium's recommendationS

Progress Software recommends looking for your current version of MOVEit Transfer and applying their Service Pack. Progress wants organizations to note that only full installers are available due to the nature of the included updates. Please see the company’s table below:   


Affected Version 

Fixed Version (Full Installer) 

Documentation 

Release Notes 

MOVEit Transfer 2023.0.x (15.0.x) 

MOVEit Transfer 2023.0.4 (15.0.4) 

MOVEit 2023 Upgrade Documentation   

MOVEit Transfer 2023.0.4 Release Notes 

MOVEit Transfer 2022.1.x (14.1.x) 

MOVEit Transfer 2022.1.8 (14.1.8) 

MOVEit 2022 Upgrade Documentation 

MOVEit Transfer 2022.1.8 Release Notes 

MOVEit Transfer 2022.0.x (14.0.x) 

MOVEit Transfer 2022.0.7 (14.0.7) 

MOVEit 2022 Upgrade Documentation 

MOVEit Transfer 2022.0.7 Release Notes 

MOVEit Transfer 2021.1.x (13.1.x) 

MOVEit Transfer 2021.1.7 (13.1.7) 

MOVEit 2021 Upgrade Documentation 

MOVEit Transfer 2021.1.7 Release Notes 

MOVEit Transfer 2021.0.x (13.0.x) 

MOVEit Transfer 2021.0.9 (13.0.9) 

MOVEit 2021 Upgrade Documentation   

MOVEit Transfer 2021.0.9 Release Notes 

MOVEit Transfer 2020.1.6 (12.1.6) or later 

Special Service Pack Available 

See KB 000236830 
MOVEit Transfer 2020.1 Service 
Pack (July 2023) 

MOVEit Transfer 2020.1.7 Release Notes 

MOVEit Transfer 2020.0.x (12.0.x) or older 

Must Upgrade to a Supported Version 

See MOVEit Transfer Upgrade and  
Migration Guide   

N/A 



 

INDICATORS OF COMPROMISE (IoCs)

At this time, there are no known IoCs associated with CVE-2023-36934, CVE-2023-36932, and CVE-2023-36933. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   

 

 

How Avertium is Protecting Our CUSTOMERS

  • Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:  
    • Risk Assessments 
    • Pen Testing and Social Engineering  
    • Infrastructure Architecture and Integration  
    • Vulnerability Management 
  • Fusion MXDRis the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
  • Avertium offers Vulnerability Management (VM) to provide a deeper understanding and control over organizational information security risks.  If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap. 





 

SUPPORTING DOCUMENTATION

MOVEit Transfer Service Pack (July 2023) - Progress Community 

MOVEit Transfer customers warned to patch new critical flaw (bleepingcomputer.com) 

Progress Software flags three new vulnerabilities in MOVEit Transfer | SC Media (scmagazine.com)