CVE-2024-5806 Description

CVE-2024-5806 is a critical authentication bypass vulnerability affecting Progress MOVEit Transfer, a secure managed file transfer application. This high-severity flaw allows attackers to bypass SFTP authentication and impersonate any valid user on the system without requiring their credentials.

Key points:

1. Affects MOVEit Transfer versions prior to 2024.0.2, 2023.1.6, and 2023.0.11.
2. Exploitable in default configurations of the SFTP service.
3. Stems from an improper handling of authentication processes, involving an interplay between MOVEit and the IPWorks SSH library.
4. Exploitation method:
   • Attackers can inject a specially crafted public SSH key into server log files.
   • This key can then be used to bypass authentication and impersonate any valid user.
5. No pre-existing system access is required for exploitation.
6. Successful attacks can lead to unauthorized access, modification, or deletion of sensitive data.
7. The vulnerability can also be used to enumerate valid usernames on the system.

This vulnerability poses a significant risk to organizations using affected MOVEit Transfer versions, potentially exposing sensitive data and allowing unauthorized system access. Immediate patching or removal of software is strongly recommended.

What is Affected By CVE-2024-5806

The following systems and components are affected by CVE-2024-5806:

1. Progress MOVEit Transfer:
   • Versions prior to 2024.0.2
   • Versions prior to 2023.1.6
   • Versions prior to 2023.0.11
2. SFTP Service: The vulnerability specifically impacts the SFTP (Secure File Transfer Protocol) service of MOVEit Transfer in its default configuration.
3. Authentication System: The flaw affects the authentication mechanism, particularly for SFTP connections.
4. User Accounts: All user accounts on affected MOVEit Transfer installations are potentially at risk of impersonation.
5. File Access: Any files and data accessible through MOVEit Transfer could be compromised if the vulnerability is exploited.
6. Log Files: The attack method involves injecting malicious content into system log files, so these are indirectly affected.
7. IPWorks SSH Library: While not directly vulnerable, the interplay between MOVEit and this library contributes to the vulnerability.
8. Potentially Other Products: There’s a possibility that other products using the same IPWorks SSH library might be affected by similar issues, though this is not confirmed for CVE-2024-5806 specifically.

It’s important to note that MOVEit Cloud environments were patched and are no longer vulnerable to this exploit. Organizations using on-premises installations of MOVEit Transfer should prioritize updating to the patched versions to mitigate this risk.

Mitigation and Remediation For CVE-2024-5806

Removal of this software is the best decision to deal with this vulnerability. If this is not a feasible option to do quickly, here are some key mitigation and remediation steps for CVE-2024-5806:

1. Immediate Patching:
   • Update MOVEit Transfer to the latest patched version:
     • 2024.0.2 or later
     • 2023.1.6 or later (for 2023.1.x branch)
     • 2023.0.11 or later (for 2023.0.x branch)
   • Apply these updates on an emergency basis, without waiting for regular patch cycles.
2. Version Verification:
   • Ensure all instances of MOVEit Transfer are updated to the latest patched versions.
3. MOVEit Cloud Users:
   • No action required for CVE-2024-5806, as cloud environments have been automatically patched.
4. Access Control Review:
   • Implement strict access controls, especially for remote authentication and SFTP services.
   • Consider implementing IP-based restrictions for user access where possible.
5. Network Security:
   • Temporarily restrict access to MOVEit services from untrusted networks until patching is complete.
   • Review and tighten outbound connection policies, especially for SMB and DNS.
6. Enhanced Monitoring:
   • Increase monitoring for unusual authentication attempts or data access patterns.
   • Monitor logs for specific indicators of exploitation attempts, such as:
     • “Illegal characters in path” exceptions
     • “Attempted to authenticate empty public key fingerprint” messages
     • Unusual combinations of authentication denial and successful key validation messages
7. Log Management:
   • Review and potentially enhance logging configurations to capture all relevant indicators of compromise.
   • Consider reducing the log flush interval from the default 60 seconds to minimize the window of opportunity for attackers.
8. User Authentication:
   • Implement multi-factor authentication (MFA) where possible.
   • Regularly review and update user access permissions.
9. Incident Response Preparation:
   • Update incident response plans to address potential exploitation of this vulnerability.
   • Conduct a thorough review of system logs to check for any signs of past exploitation.
10. Third-party Security Assessment:
    • Consider engaging a third-party security firm to conduct a thorough assessment of your MOVEit Transfer implementation and overall file transfer infrastructure.
11. User Education:
    • Inform users about the potential risks and the importance of reporting any suspicious activities.
12. Regular Security Audits:
    • Implement a schedule for regular security audits and vulnerability assessments of your file transfer systems.

Remember, while patching is the most critical step, a layered security approach incorporating multiple mitigation strategies provides the best protection against this and future vulnerabilities.

How CVE-2024-5806 Exploitation Works

The exploit for CVE-2024-5806 in Progress MOVEit Transfer works through a series of steps that take advantage of several vulnerabilities and design flaws in the authentication process. Here’s a detailed explanation of how the exploit works:

1. Initial Vulnerability: The core issue lies in how MOVEit Transfer handles SSH public key authentication. The software allows specifying a file path instead of a public key blob during the authentication process.
2. Log File Injection:
   • Attackers can inject a specially crafted SSH public key into the server’s log files.
   • This is done by sending a malformed HTTP request to the ‘/guestaccess.aspx’ endpoint with the key data in the ‘Arg12’ parameter.
   • The server logs this data without proper sanitization.
3. Key Format Exploitation:
   • The attack uses the PPK (PuTTY Private Key) file format, which is more lenient in parsing.
   • This allows the injected key to be recognized even when surrounded by other log data.
4. Authentication Request:
   • The attacker initiates an SFTP authentication request.
   • Instead of providing a valid public key, they specify the path to the log file containing the injected key.
5. Server-Side Key Loading:
   • The server attempts to load the “public key” from the specified log file path.
   • Due to a flaw in the IPWorks SSH library, when loading a key from a file, it passes an empty string to MOVEit instead of the actual key data.
6. Authentication Bypass:
   • MOVEit’s authentication code has a logic flaw where it incorrectly handles the case of an empty key string.
   • It returns a “denied” result but doesn’t set an error code, which is misinterpreted by the calling code as a successful partial authentication.
7. Impersonation:
   • The server mistakenly believes that a valid public key authentication has occurred.
   • It then allows the attacker to proceed as if they were the user they’re attempting to impersonate.
8. Complete Authentication:
   • On the second authentication attempt, the server sees that “public key” authentication has already succeeded (due to the previous step).
   • It then grants full access without requiring additional credentials.
9. Arbitrary User Access:
   • The attacker now has full access to the system with the privileges of the impersonated user.
   • They can perform actions such as reading, writing, or deleting files as that user.

Key Aspects:

• The exploit doesn’t require prior access to the system.
• It bypasses normal authentication checks by exploiting how errors are handled in the authentication process.
• The attack leverages the interplay between MOVEit’s custom code and the third-party IPWorks SSH library.
• The only prerequisite is knowledge of a valid username, which can often be guessed or obtained through other means.

This exploit is particularly dangerous because it allows for authentication bypass and user impersonation without needing to crack or steal legitimate credentials. It essentially tricks the system into believing a valid authentication has occurred when it hasn’t.