Latest MOVEit Bug Is Another Critical SQL Injection FlawProgress Software Reveals 1 New 'Critical' and 2 'High-Severity' Bugs
For the third time since the discovery of the MOVEit Transfer application zero-day vulnerability, Progress Software has revealed a new critical SQL injection vulnerability affecting its managed file transfer web application. The company also revealed two high-severity bugs.
Critical Bug - CVE-2023-36934
The critically rated bug, tracked as CVE-2023-36934, has a CVSS score of 9.8. It allows remote attackers to bypass authentication on affected systems and execute arbitrary code, said Progress Software in a security advisory.
The vulnerability exists within the
human.aspx endpoint. It could allow an attacker to send a crafted request and trigger the execution of SQL queries composed from a user-supplied string. The attacker can then leverage this vulnerability to execute code in the context of the
Progress Software first reported the MOVEit vulnerability and released an initial patch for the zero-day flaw on May 31. Two weeks later, the company discovered an SQL injection flaw in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database (see: MOVEit Discloses More Vulnerabilities, Issues Patch).
The latest vulnerability shares commonalities with the first flaw, CVE-2023-34362, which has been actively exploited over the past month by the Clop ransomware group to exfiltrate data from hundreds of victim organizations for extortion (see: Extortion Group Clop's MOVEit Attacks Hit Over 130 Victims).
Like that flaw, the CVE-2023-36934 vulnerability provides unauthorized access and could result in modification and disclosure of MOVEit database content.
The company attributed the discovery of the vulnerability to Guy Lederfein of Trend Micro, who worked with the Zero Day Initiative to find the bug.
High-Severity Bugs - CVE-2023-36932 and CVE-2023-36933
Progress Software also revealed details of a high-severity, denial-of-service bug tracked as CVE-2023-36933 in its MOVEit Transfer application. The vulnerability allows attackers to invoke a method that results in an unhandled exception. Triggering this workflow can cause the MOVEit Transfer application to terminate unexpectedly and enter a DoS condition.
The flaw's discovery has been attributed to responsible disclosure on the HackerOne platform by a user named James Horseman. Progress said the The three vulnerabilities have been fixed.
The second high-severity bug is CVE-2023-36932. It can be exploited by an unauthenticated attacker to gain access to the MOVEit Transfer database and is similar to CVE-2023-36934.
Progress Software did not immediately respond to Information Security Media Group's request for additional details on why those vulnerabilities have been rated differently if their impact is same.
Before applying the latest patch update, the company said affected customers who have not yet done so need to apply the patch to address the original zero day.
At the moment, no known instances of exploitation in the wild have been found for any of the three latest vulnerabilities and public proof-of-concept exploits.