======================================================================

                                 CERT-Renater

                       Note d'Information No. 2024/VULN303
_____________________________________________________________________

DATE                : 27/06/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running MOVEit Transfer versions prior
                            to 2023.0.11, 2023.1.6, 2024.0.2.

=====================================================================
https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806
_____________________________________________________________________

MOVEit Transfer Critical Security Alert Bulletin – June 2024 –
(CVE-2024-5806)

CVSS: 9.1 (CRITICAL) Improper Authentication vulnerability in Progress
MOVEit Transfer (SFTP module) can lead to Authentication Bypass.
Affects: This issue affects MOVEit Transfer: from 2023.0.0 before
2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before
2024.0.2.

25 Jun 2024•Knowledge

Title
MOVEit Transfer Critical Security Alert Bulletin – June 2024 –
(CVE-2024-5806)

URL Name
MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806

Article Number
000259290


Information

Revision History
Date	Revision
June 25, 2024 @ 10:59AM EST	Initial publication
June 25, 2024 @ 7:15PM EST	Change to CVSS score and severity,
additional detail regarding 3rd party vulnerability

If you have not done so already, we strongly urge all MOVEit Transfer
customers on versions 2023.0, 2023.1 and 2024.0 to upgrade to the
latest patched version immediately, and also to apply the mitigation
steps for the third-party vulnerability listed below.

If you have any questions or concerns related to this issue, please
login to open a new Technical Support case. Technical Support is
available to MOVEit Transfer customers under warranty and active
maintenance. If your version is no longer supported as part of the
MOVEit Product Lifecycle, you should upgrade to a supported and
fixed version.

Issue CWE-287 Improper Authentication - CVE-2024-5806

CVSS: 9.1 (CRITICAL)

Improper Authentication vulnerability in Progress MOVEit Transfer
(SFTP module) can lead to Authentication Bypass.

This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11,
from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.

   What action(s) do I need to take?  Solution We have addressed the 
MOVEit Transfer vulnerability and the Progress
MOVEit team strongly recommends performing an upgrade to the latest
version listed in the table below.

Newly identified 3rd Party Vulnerability

A newly identified vulnerability in a third-party component used in
MOVEit Transfer elevates the risk of the original issue mentioned
above if left unpatched. While the patch distributed by Progress on
June 11th successfully remediates the issue identified in
CVE-2024-5806, this newly disclosed third-party vulnerability
introduces new risk. Please work with your internal teams to take
the following steps to mitigate the third-party vulnerability.

Steps customers should take to mitigate the third-party vulnerability:

      Verify you have blocked public inbound RDP access to MOVEit
Transfer server(s)
      Limit outbound access to only known trusted endpoints from
MOVEit Transfer server(s)

When the third-party vendor releases a fix, we will make that
available to MOVEit Transfer customers.

PLEASE NOTE: Upgrading to a patched release, using the full
installer, is the only way to remediate this issue. There will
be an outage to the system while the upgrade is running.  For all 
customers on a current maintenance agreement, the
upgrade can be accessed by logging into the Progress
Community - https://community.progress.com/s/. Customers that
are not on a current maintenance agreement should contact the
Progress Renewals team or your Progress partner account
representative.   To confirm your current version of MOVEit Transfer 
please see
MOVEit Transfer - How to Check My Software Version.  Fixed Version  
Documentation  	Release Notes
MOVEit Transfer 2023.0.11 	Install and upgrade guide
   	Release Notes - 2023.0.11
MOVEit Transfer 2023.1.6	Install and upgrade guide
   	Release Notes - 2023.1.6
MOVEit Transfer 2024.0.2	Install and upgrade guide
   	Release Notes - 2024.0.2

For customers on MOVEit Cloud, no further action is needed as
the MOVEit Transfer patch has already been deployed to MOVEit
Cloud. In addition, our MOVEit Cloud infrastructure is
safeguarded against the recently disclosed third-party
vulnerability through strict access controls on the underlying
infrastructure.

   Additional Information To receive email notifications for Product and 
Security Updates
like this, please log into the Progress Community Portal and
sign up for our Progress Alert and Notification Service (PANS).

Please see our FAQ page regarding Frequently Asked Questions
(FAQ) for Progress Alert Notifications (PANS).

Additional Information

Environment

Last Modified Date
25/06/2024 23:41

Disclaimer
Defect Number


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================