Application Details
MOVEit is a managed file transfer software product produced by Ipswitch, Inc. MOVEit encrypts files and uses file transfer protocols such as FTP or SFTP to transfer data, as well as providing automation services, analytics and failover options.
Vulnerability
Progress MOVEit Transfer could allow a remote attacker to bypass security restrictions, caused by an improper authentication vulnerability in the SFTP module. This vulnerability could allow an attacker to bypass authentication by exploiting improper handling of SSH key data which could result in an attacker logging in as any user,
Identification
By sending a specially crafted request, an attacker could exploit this vulnerability to bypass SFTP authentication and gain access to the MOVEit Transfer and Gateway systems.
POST /guestaccess.aspx
PAYLOAD -
transaction=signoff&Arg12=
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "watchtowr@watchtowr.com"
AAAAB3NzaC1kc3MAAACBAIrAsIu1tvkRHImLwuv9/OhnHwhPjndOX17quEPJBAcq
...
AzY4ofp+AFdG4m064RsTi2GBR7Tr1WiQmCywPcv6SKBi5roxPCi3x1aotjQnd6JN
Pw==
---- END SSH2 PUBLIC KEY ----
Detection
By turning this into a traffic file and matching rule, we are able to detect attempts to bypass security restrictions,
Coverage
Idappcom has created signature 8025081 along with a traffic file for this vulnerability.
References
Traffic IQ
If you are concerned that your business may be at risk of this vulnerability, or others, why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional
Comments