MOVEit Transfer Vulnerabilities: How Clients Can Mitigate the Damage

by | June 28, 2024

Hot on the heels of a devastating vulnerability last year—one that affected more than 2,300 organizations, including the U.S. Department of Energy, Shell, and British Airways—the MOVEit Transfer managed file transfer service recently disclosed two new serious vulnerabilities in its software.

What are these new vulnerabilities, how serious are they, and what should MOVEit customers do to address them? Continue reading to find out.

Table of Contents

Secure Cloud File Transfer

MASV is an ISO 27001, SOC 2, and TPN-verified (Gold Shield status) secure file transfer service.

What Are the Current MOVEit Vulnerabilities?

The new vulnerabilities, known as CVE-2024-5805 and CVE-2024-5806, both allow hackers to bypass Progress Software-owned MOVEit’s user authentication safeguards:

  • CVE-2024-5805: Authentication vulnerability in Progress MOVEit Gateway (SFTP module) that affects MOVEit Gateway 2024.0.0.
  • CVE-2024-5806: Authentication vulnerability in the Progress MOVEit Transfer (SFTP module) that affects versions 2023.0.0 before 2023.0.11, 2023.1.0 before 2023.1.6, and 2024.0.0 before 2024.0.2.

MOVEit allows customers to use several different file transfer protocols including SCP, HTTP, and SFTP. These vulnerabilities affect the SFTP module only.

The vulnerabilities allow hackers to breach MOVEit systems in different ways. For example, security firm watchTowr described two possible attack vectors stemming from CVE-2024-5806:

  1. Assuming the identity of a trusted user: Use of a null string (a string with no value) as a public encryption key during authentication, allowing hackers to log in as trusted users. Of the two, this is considered the most serious vulnerability.
  2. Forced authentication: Manipulation of Secure Shell (SSH) public key paths to force an authentication using a malicious SMB server and valid username.

💡Last year’s MOVEit vulnerability (CVE-2023-34362) exploited a weakness that provided hackers with escalated privileges and unauthorized user environment access. It affected both on-premises and cloud-based systems. The Cl0p ransomware-as-a-service gang exploited the vulnerability by stealing customer data.

How Serious Are the Current MOVEit Vulnerabilities?

They’re very serious: Both vulnerabilities earned a severity score of 9.1/10 (critical) on the Common Vulnerability Scoring System (CVSS).

And Ars Technica described CVE-2024-5806 as a vulnerability that puts “huge swaths of the Internet at risk of devastating hacks,” adding that hackers had begun trying to exploit them within hours of their disclosure.

After conducting an internet scan, cybersecurity firm Censys says it detected 2,700 MOVEit transfer instances online, with most in the U.S.

“We have addressed the MOVEit Transfer vulnerability and the Progress -MOVEit team strongly recommends performing an upgrade to the latest version listed in the table below,” Progress said in a statement on its community website (see information on version upgrades in the next section).

To make matters worse, however, Progress says another recently (undisclosed) discovered vulnerability in a third-party component raises the risk of CVE-2024-5806 even further.

“A newly identified vulnerability in a third-party component used in MOVEit Transfer elevates the risk of the original issue mentioned above if left unpatched. While the patch distributed by Progress on June 11th successfully remediates the issue identified in CVE-2024-5806, this newly disclosed third-party vulnerability introduces new risk.”

Has MOVEit Addressed the Issue?

Progress Software posted hotfixes for CVE-2024-5806 with versions 2023.0.11, 2023.1.6, and 2024.0.2. CVE-2024-5805 was addressed with version 2024.0.1.

If you’re a MOVEit customer, it’s important to update your software to a secure version as soon as possible. If you’re unsure which version of MOVEit software you have, you can check using this link.

Premium Cloud Infrastructure

MASV runs on premium and secure AWS cloud infrastructure.

What Should MOVEit Customers Do?

There are steps MOVEit customers can do to ensure their data stays secure.

  • Job 1 for any sysadmin is to apply any hotfixes supplied by Progress right away, along with conducting proactive monitoring of your system for indicators of unauthorized access (especially recently). Unfortunately, patching like this requires taking the whole system offline temporarily—which can obviously be a huge drag on productivity.
  • Companies can also implement software such as Fail2Ban, an intrusion prevention daemon that guards against brute force attacks by banning IPs that generate multiple failed authentication attempts.
  • Consider implementing a Zero Trust identity and access management (IAM) framework. While Zero Trust solutions can cause some employee friction, application performance degradation, and are relatively expensive, tools from vendors such as Cloudflare and Zscaler can significantly mitigate the impact of this kind of vulnerability
  • Finally, to avoid this kind of situation in the first place, use file transfer software that doesn’t require opening inbound ports—and if you must, don’t leave those ports open longer than absolutely necessary. MOVEit requires its customers to open ports for its software to work. But hackers can use port scanning tools to quickly determine which ports a company has left open, along with if those ports are used by a MOVEit instance (or other software), and then try to brute force their way inside.

Send Files Securely—Without Opening Ports—With MASV

MASV file transfer doesn’t require opening new inbound ports or port forwarding, ensuring our file transfer solution is inherently more secure than services like MOVEit, GoAnywhere, and Aspera (the latter two were also hit with vulnerabilities last year):

  • The MASV file transfer service is fully web-based; all actions—such as uploads and downloads— are client-initiated and authenticated by a cloud server. This means users don’t have to put themselves at risk by opening inbound ports.
  • MASV’s Storage Gateway feature, which allows MASV users to ingest data into networked shared storage devices directly from MASV, uses WebSockets as a secure communications tunnel. Users run Storage Gateway on their storage device, authenticate through a MASV cloud server, and then are given a secure communications channel using WebSockets without the user needing to open inbound ports. And if a user disconnects their Storage Gateway from MASV, no one else can access that channel without going through the same authentication process.

Additionally, because MASV is cloud-based, users aren’t on the hook to discover and mitigate potential issues on their own. Cloud-based file transfer solutions like MASV manage their own infrastructure and can patch vulnerabilities for all users within minutes—with practically no disruption.

You can learn more about MASV’s comprehensive security posture here.

Sign up for MASV for free and experience the ultimate in secure file transfer.

MASV File Transfer

Get 20GB free to use with the fastest, most secure large file transfer service available: MASV.