Update 15/06/23:
After more exploits were discovered and further research undertaken Idappcom have released the following additional signatures :
8023939 MOVEit Transfer - File Upload (CVE-2023-34362) 8023940 MOVEit Transfer - 'X-siLock-SessVar' SQL Injection (CVE-2023-34362) 8023941 MOVEit Transfer - Trigger Payload - RCE (CVE-2023-34362)
Application Details
Progress MOVEit Transfer is a web based file transfer solution.
Vulnerability
An SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database.
Identification
Researchers from Huntress discovered the exploit creates a 'human2.aspx' file within the C:\MOVEitTransfer\wwwroot\directory. This file enforces a static password for access, determined by the 'X-siLock-Comment' HTTP header. If this password is not supplied, the server returns a 404 with no further function.
Request HTTP Header - X-siLock-CommentAdditional HTTP Headers Identified:
X-siLock-Step1
X-siLock-Step2
X-siLock-Step3Detection
By creating multiple signatures and traffic files, we are able to detect attempts to exploit the MOVEit Transfer Application.
Coverage
Idappcom has created signature 8023895 as well as signatures 8023905-8023907 along with their respective traffic files.
References
Traffic IQ
If you are concerned that your business may be at risk of this vulnerability, or others, why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional
Comments