Third MOVEit bug fixed a day after PoC exploit made public

Progress Software on Friday issued a fix for a third critical bug in its MOVEit file transfer suite, a vulnerability that had just been disclosed the day earlier.

Details of the latest vulnerability, tracked as CVE-2023-35708, were made public Thursday; proof-of-concept (PoC) exploit for the flaw, now fixed today, also emerged on Thursday.

A researcher who goes by the handle MCKSys Argentina confirmed to The Register that a June 16 MOVEit patch for CVE-2023-35708 mitigated the researcher's PoC exploit code, which was shared in screenshot form.

It's worth repeating that information on how to abuse the SQL injection flaw was made public a day before the software vendor had fixed the issue, so it's possible miscreants used that info to attack MOVEit installations before an update could be developed and applied.

"OK, don't tell anybody, but this attack works on current version of Progress MOVEit Transfer: 2023.0.2 (15.0.2.49),"  as MCKSys Argentina tweeted on Thursday, including a screenshot of an exploit for the bug. "So I guess that I just dropped a 0 day here. Always remember to check against the current version!"

Three strikes?

Progress disclosed the first MOVEit flaw on May 31, and issued a patch the next day for CVE-2023-34362. A second bug, CVE-2023-35036, came to light last Friday, June 9, and was also patched the next day.

That brings us to this third hole, CVE-2023-35708, which is another SQL injection vulnerability that could allow an unauthenticated attacker to break into organizations' MOVEit Transfer database and steal its content. It affects versions released before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), 2023.0.3 (15.0.3).

• US government hit by Russia's Clop in MOVEit mass attack
• US government extends software security deadline because vendors aren't ready
• Hold it – more vulnerabilities found in MOVEit file transfer software
• Clop ransomware crew sets June extortion deadline for MOVEit victims

All MOVEit Transfer customers need to apply the patch for CVE-2023-35708, according to Progress. And depending on whether customers applied the earlier fixes for the May 31 and June 9 vulnerabilities, there are different remediations.

Those who didn't apply the May patch first need to follow Progress' earlier instructions, which include patches for the May 31 and June 9 bugs. 

After applying the previous fixes, customers should then patch the June 15 CVE. Those who can't apply the latest update should "immediately disable all HTTP and HTTPs traffic to your MOVEit Transfer environment."

Shell data leaked

Meanwhile, the list of bodies and companies hit by Clop – which has exploited MOVEit's security shortcomings to steal data from organizations – keeps growing. On Friday, oil and gas giant Shell reportedly became the first organization to have its stolen data published on the Clop leak site, according to infosec guru Dominic Alvieri. Clop demands a ransom payment from victims or it threatens to leak any data swiped from them.

The Clop MOVEit Reveal Event will continue after this new statement.Shell has the honor of being the first company to have all their exfiltrated files published.@Shell pic.twitter.com/Bi4HkdFKLn

— Dominic Alvieri (@AlvieriD) June 16, 2023

The Oregon Department of Transportation in the US said the extortionists accessed personal info belonging to about 3.5 million residents of the state.

"While much of this information is available broadly, some of it is sensitive personal information," the dept's notice stated. "Individuals who have an active Oregon ID or driver's license should assume information related to that ID is part of this breach."

Similarly, Louisiana's Office of Motor Vehicles warned that all residents with a state-issued ID, drivers license, or car registration likely had their name, addresses, social security number, birthdate, height, eye color, license number, vehicles registration, and handicap placard info exposed.

"There is no indication at this time that cyber attackers who breached MOVEit have sold, used, shared or released the OMV data obtained from the MOVEit attack," the Louisiana agency said. "The cyber attackers have not contacted state government. But all Louisianans should take immediate steps to safeguard their identity."

Clop has said it will delete — and not publish — any stolen government data, which presumably includes local governments and the info swiped from the US Energy Department and other federal agencies. 

On Thursday, Jen Easterly, who leads the US Cybersecurity and Infrastructure Security Agency, confirmed that the Feds are "not aware of Clop actors threatening to extort, or release any data stolen from government agencies." 

Still, we don't suggest putting too much faith in criminals' promises. ®