Progress Software, the operator of the MOVEit Transfer managed file transfer product, has released a second patch for a newly discovered vulnerability distinct from CVE-2023-34362, the SQL injection bug currently under widespread exploitation by the Russian-speaking Clop cyber extortion gang.
This vulnerability, which has not at the time of writing been assigned a CVE number, was discovered by external analysts working alongside Progress to probe MOVEit Transfer for any further issues.
“We have partnered with third-party cyber security experts to conduct further detailed code reviews as an added layer of protection for our customers,” Progress said in a statement.
“As part of these code reviews, cyber security firm Huntress has helped us to uncover additional vulnerabilities that could potentially be used by a bad actor to stage an exploit. These newly discovered vulnerabilities are distinct from the previously reported vulnerability shared on May 31, 2023. All MOVEit Transfer customers must apply the new patch, released on 9 June 2023.”
The vulnerability in question is also a SQL injection flaw and affects all versions of MOVEit Transfer. Progress said that, left unpatched, an unauthenticated attacker could gain unauthorised access to the MOVEit Transfer database and submit a crafted payload to it that would give them the ability to modify and disclose – i.e. steal – its content. This would have a similar impact to CVE-2023-34362.
Progress said that users who have not yet applied the CVE-2023-34362 patch should refer to its initial guidance from 31 May, which will also now protect them from the new vulnerability. Those who have applied the first patch and followed the recommended remediation steps should now proceed to apply the second patch as outlined here, using only the patch links included in its official documentation. It added that MOVEit Cloud has also been patched with the 9 June patch.
In the interests of flexibility, Progress is provided both a full installer version of the patch and a dynamic link library (DLL) version that users can drop in to an existing installation.
MOVEit users are further advised to review their audit logs for any unusual or suspicious activity, such as unexpected file downloads, and review access logs and systems logging.
Computer Weekly reached out to Huntress Security, but had not received a response at the time of publication.
Clock ticking
With under 72 hours now remaining until Clop begins leaking the data it has stolen, more victims have been coming forward around the world in the past few days. Among those to have raised their hands, as reported by Security Week, are two US state bodies in Illinois and Minnesota.
The Illinois Department of Innovation and Technology said it was investigating the impact of the attack but has not yet identified what data it has lost, although it said it suspected a “large number of individuals” were affected. The Minnesota Department of Education (MDE) said that 24 total files containing the names of 95,000 children placed in foster care, as well as data on students qualifying for Covid-19 benefits, students taking courses to earn college credits, and students who used a particular school bus route in the city of Minneapolis.
Clop has claimed that it has erased data taken from public bodies. Whether or not this is the case cannot be determined with any degree of accuracy.
Prior to the weekend, it also emerged that Extreme Networks has been affected by the incident. The networking hardware and software supplier is believed to still be assessing whether or not customer data has been taken.