Threat Summary:
A vulnerability in MOVEit Transfer and MOVEit Gateway was announced on June 25th, 2024. The vulnerability impacts versions from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2. This vulnerability is classified as Improper Authentication (CWE-287) with a CVSS score of 9.1 (Critical). An attacker can arbitrarily authenticate into the MOVEit system with a known user account and take any actions as that user after authentication. These actions may include adding, removing, changing, and/or exfiltrating files.
Lumifi’s Analysis:
This vulnerability contains multiple attack methods, of varying complexity. The first attack method is to send a UNC path that uses an IP address to the MOVEit server’s SFTP port (22 by default). On the same network segment, Responder can be run before this request to collect the NET-NTLMv2 hash of that machine’s service account related to MOVEit. With that hash and username, the password can be cracked offline to gain access.
The second attack method is uploading a SSH public key to the MOVEit server and then calling the file path of that location in the system when logging in with a known user account. This will leverage the uploaded SSH key for authentication and allow the login of the user specified in that attempt (regardless of the association of that user account with the key file). To complete the authentication in this method, a null (“”) fingerprint must be used along with the valid public/private keypair. The null value will default to resolving to an accepted case for the login. This value is placed by specifying a path in the system (similar to the first method) to the uploaded public key, in the packet.
The third attack method is a combination of attack methods 1 and 2. This methodology leverages the login webpage of the MOVEit server. Instead of supplying a username on login, the SSH public key can be placed in that field. This key must be in a PPK (putty) format and leverage the /guestaccess.aspx page along with two parameters: transaction=signoff and arg12=<PPK Public Key>. This places the public key data into the system log file, which can then be called upon by specifying the file path to that system log file when attempting a login with a valid user account. This means that an attacker can authenticate arbitrarily (with a known valid user account) to a system with no uploading privileges.
There are several ways to gain a valid user account for this process. E-mail lists, data dumps, and dictionary attacks can be deployed in this process. Furthermore, if an attacker wants to enumerate valid user accounts on the MOVEit server, they can deploy the UNC path calls to a controlled DNS server and change the domain names according to the username attempted. After the supplied list is exhausted, the attacker can review any DNS logs that were requested by the target machine, since only valid accounts will continue with the UNC path search.
Lumifi’s Current Coverage and Mitigation Recommendations:
Progress released patches for this vulnerability, and it is highly recommended that these be implemented immediately. The following versions are patched:
Only 2024.0.0 is affected in MOVEit Gateway.
Based on the aforementioned research, Lumifi created and implemented the following detections:
