A serious SQL injection vulnerability (CVE-2023-34362) has been discovered in the MOVEit Transfer web application. This vulnerability affects all versions of MOVEit Transfer up until the release of the following versions: 2021..6 (13..6), 2021.1.4 (13.1.4), 2022..4 (14..4), 2022.1.5 (14.1.5), and 2023..1 (15..1). The issue has been found to be exploited in the wild in May and June 2023. Unpatched systems can be victim to this exploit via HTTP or HTTPS.

Overview

The SQL injection vulnerability found in MOVEit Transfer allows an attacker without authentication to access and manipulate the application's database. Depending on the type of database engine used, such as MySQL, Microsoft SQL Server, or Azure SQL, the attacker may be able to gain information about the database's structure and contents, as well as execute SQL statements that could alter or delete elements within the database.

Code Snippet

While the exact exploit code is not disclosed here for security reasons, a simplified example of the SQL injection looks like this:

SELECT * FROM users WHERE username = '' or '1' = '1' -- ' AND password = 'password';

In this example, the attacker injects the "or '1' = '1' --" part into the SQL query to bypass the password check, effectively allowing unauthorized access.

Original References

Progress has provided a security advisory regarding this vulnerability, which can be found at the following links:
- Progress Security Advisory for CVE-2023-34362

Exploit Details

The vulnerability has been successfully exploited in the wild in May and June 2023. Systems that are still using the old and unsupported versions of MOVEit Transfer (e.g., 202. and 2019x) are affected by this vulnerability as well.

Mitigation

To mitigate the risk of SQL injection attacks, it is highly recommended to upgrade to the latest version of MOVEit Transfer as soon as possible. The versions that have addressed this vulnerability are as follows:

Conclusion

The SQL injection vulnerability (CVE-2023-34362) discovered in MOVEit Transfer is a severe issue, allowing attackers to access and manipulate the application's database without authentication. Since this vulnerability has been exploited in the wild, it is of utmost importance that users of MOVEit Transfer upgrade their software to one of the patched versions mentioned above. Doing so will greatly reduce the risk of falling victim to SQL injection attacks targeting this vulnerability.

Timeline

Published on: 06/02/2023 14:15:00 UTC
Last modified on: 06/12/2023 14:07:00 UTC