top of page

Understanding CVE-2024-5806: Vulnerability Details and Mitigation Strategies

CVE Image for report on CVE-2024-5806

Executive Summary

CVE-2024-5806 is a critical improper authentication vulnerability identified in the Progress MOVEit Transfer software, specifically affecting its SFTP module. This vulnerability allows attackers to bypass authentication mechanisms, potentially leading to unauthorized access to sensitive data. The vulnerability has a CVSS v3.1 Base Score of 9.1, indicating its critical nature. Immediate action is required to mitigate the risks associated with this vulnerability.

Technical Information

CVE-2024-5806 arises due to improper authentication handling in the SFTP module of MOVEit Transfer. This flaw can be exploited by remote attackers to bypass authentication and gain unauthorized access to the system. The vulnerability affects the following versions of MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, and from 2024.0.0 before 2024.0.2. The vulnerability's vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating that it can be exploited remotely without any user interaction, and it has a high impact on confidentiality and integrity.

The vulnerability allows attackers to establish an authenticated SFTP session for a MOVEit Transfer user, enabling them to list the contents of a directory and read arbitrary files. This can lead to data breaches and other malicious activities, as attackers can exfiltrate sensitive data from the compromised system.

Exploitation in the Wild

There have been reports of active exploitation of CVE-2024-5806 in the wild. Attackers have been observed leveraging this vulnerability to gain unauthorized access to MOVEit Transfer systems. They often use automated scripts to exploit the flaw and exfiltrate sensitive data. Specific usage of this vulnerability includes the development of a Metasploit module named

progress_moveit_sftp_fileread_cve_2024_5806.rb
, which allows attackers to establish an authenticated SFTP session for a MOVEit Transfer user. The module enables both listing the contents of a directory and reading an arbitrary file. More details can be found here: https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/progress_moveit_sftp_fileread_cve_2024_5806.rb.

Additionally, WatchTowr Labs has published an exploit detailing the steps to exploit this vulnerability. The exploit can be found here: https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/.

APT Groups using this vulnerability

While specific APT groups exploiting CVE-2024-5806 have not been publicly identified, the nature of the vulnerability makes it a likely target for groups specializing in data exfiltration and espionage. These groups often target sectors such as finance, healthcare, and government, where sensitive data is highly valuable.

Affected Product Versions

The following versions of MOVEit Transfer are affected by CVE-2024-5806: - MOVEit Transfer: from 2023.0.0 before 2023.0.11 - MOVEit Transfer: from 2023.1.0 before 2023.1.6 - MOVEit Transfer: from 2024.0.0 before 2024.0.2

Workaround and Mitigation

To mitigate the risk associated with CVE-2024-5806, it is recommended to update MOVEit Transfer to the latest version that addresses this vulnerability. Specifically, versions 2023.0.11, 2023.1.6, and 2024.0.2 or later contain the necessary patches. Additionally, implement network monitoring to detect unusual activity that may indicate exploitation attempts and regularly review access logs for signs of unauthorized access or other suspicious activities.

References

For more detailed information on CVE-2024-5806, please refer to the following resources: - NVD CVE-2024-5806: https://nvd.nist.gov/vuln/detail/CVE-2024-5806 - Progress MOVEit Transfer Product Security Alert: https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806 - Kroll Cyber Risk Insights: https://www.kroll.com/en/insights/publications/cyber/progress-moveit-transfer-cve-2024-5806 - Rapid7 Blog on Authentication Bypasses: https://www.rapid7.com/blog/post/2024/06/25/etr-authentication-bypasses-in-moveit-transfer-and-moveit-gateway/ - Beazley Security Alert: https://beazley.security/alerts-advisories/critical-vulnerability-in-moveit-transfer-cve-2024-5806 - WatchTowr Labs Exploit: https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/

Rescana is here for you

At Rescana, we understand the critical nature of cybersecurity threats and the importance of timely and effective mitigation. Our Continuous Threat and Exposure Management (CTEM) platform helps organizations identify, assess, and mitigate vulnerabilities like CVE-2024-5806. We are committed to providing our customers with the tools and support they need to protect their systems and data. If you have any questions about this report or any other issue, please contact us at ops@rescana.com.

2 views0 comments

Comments


bottom of page