CVE-2023-42660
📋 TL;DR
This SQL injection vulnerability in Progress MOVEit Transfer allows authenticated attackers to execute arbitrary SQL commands against the database. Attackers could read, modify, or delete sensitive data stored in MOVEit Transfer. Organizations using affected versions of MOVEit Transfer are at risk.
💻 Affected Systems
- Progress MOVEit Transfer
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the MOVEit Transfer database including exfiltration of all stored files, user credentials, and configuration data, potentially leading to data breach and system takeover.
Likely Case
Unauthorized access to sensitive files and user data stored in MOVEit Transfer, potentially leading to data theft and compliance violations.
If Mitigated
Limited impact with proper network segmentation, database permissions, and monitoring in place, though risk remains until patched.
🎯 Exploit Status
SQL injection vulnerabilities are commonly exploited. Requires authenticated access but MOVEit Transfer often has many user accounts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9), 2023.0.6 (15.0.6) or later
Vendor Advisory: https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-September-2023
Restart Required: Yes
Instructions:
1. Download the appropriate service pack from Progress support portal. 2. Backup your MOVEit Transfer database and configuration. 3. Apply the service pack following Progress documentation. 4. Restart MOVEit Transfer services. 5. Verify the patch is applied successfully.
🔧 Temporary Workarounds
Restrict Machine Interface Access
allLimit network access to the MOVEit Transfer machine interface to only trusted IP addresses or networks.
Implement Web Application Firewall
allDeploy a WAF with SQL injection protection rules in front of MOVEit Transfer.
🧯 If You Can't Patch
- Isolate MOVEit Transfer systems from the internet and restrict internal network access
- Implement strict database permissions and monitor for unusual SQL queries
🔍 How to Verify
Check if Vulnerable:
Check MOVEit Transfer version in the admin interface or via the MOVEit Transfer installation directory.Check Version:
Check the version.txt file in the MOVEit Transfer installation directory or use the admin web interface.Verify Fix Applied:
Verify the installed version matches or exceeds the patched versions listed in the advisory.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed authentication attempts followed by successful login
- Unexpected database schema changes
Network Indicators:
- Unusual traffic patterns to the machine interface endpoint
- SQL error messages in HTTP responses
SIEM Query:
source="moveit-transfer" AND (event_type="sql_error" OR event_type="database_query" AND query="*SELECT*" OR query="*INSERT*" OR query="*UPDATE*" OR query="*DELETE*")