MOVEit Transfer is a secure file transfer software designed to enable businesses to manage critical file transfers through a centralized platform.
During 2023 many new CVE were found in the software, mainly utilizing SQL Injection and XSS technics. Considering the widespread adoption of the software globally, it is nessasery to have sufficient layers of security that can provide prevention during the zero day phase (pre-emptive security) – before the vulnerability become known to the public, and the CVE number is assigned.
Understanding CVE-2023-36934
CVE-2023-36934 was published on 2023-07-05 and assigned with a high CVE Base score of 9.1 (Critical). The Vulnerability allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
The vulnerability is specifically located in the /human.aspx and machine.aspx endpoints. Publicly available Proof of Concept (POC) examples offer insights into the exploitation of this vulnerability.
A publicly available POC developed by ProjectDiscovery illustrates the exploitation process through a four-step approach:
Source: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36934.yaml
1. First POST Request to /human.aspx:
Details: The SQL commands in the URL are designed to insert a new session with the specified session ID ({{session_cookie}}) and update various session attributes such as Username, LoginName, RealName, InstId, IpAddress, LastTouch, DMZInterface, Timeout, ResilNode, and AcctReady
Goal: The goal is to create a new session in the database with elevated privileges and specific attributes, effectively positioning the session as a legitimate and authorized user.
2. Second POST Request to /human.aspx with ep Parameter:
Details: The transaction is set to passchangerequest.
Goal: Setting the parameter passchangerequest that triggers the corresponding vulnerable function which can run the SQL Injection code
3. Third POST Request to /machine.aspx
Details: It includes a cookie with the session information (ASP.NET_SessionId={{session}}), using the manipulated session from the previous steps.
Goal: To execute the SQL injection using the previously manipulated session variables.
4. Fourth POST Request to /api/v1/auth/token
Details: The request targets an API endpoint, using credentials and the session cookie to request an access token.
Goal: To acquire an access token for authenticated access within the application, leveraging the privileges obtained through the SQL injection
WAF Pre-emptive protection
It is crucial to minimize the 'Vulnerability Window' - the period between the initial discovery of a vulnerability (the zero-day phase) and the implementation of remediation measures, such as software updates or WAF signature rule updates.
Among the four steps outlined in the CVE-2023-36934 exploit, only the first one exhibits clear indicators of a SQL Injection (SQLi) attack, making it the primary target for preemptive detection and blocking.
To evaluate this, an AppSec Agent was deployed in a test environment. We deactivated the IPS rule model and replicated the attack using the POC reference.
Our findings revealed that both open-appsec and CloudGuard AppSec effectively provide preemptive protection against CVE-2023-36934, demonstrating their capability to secure systems before vulnerabilities are widely known, exploited, or any remediation actions become available.
Summary
This blog examined CVE-2023-36934, a critical vulnerability in MOVEit Transfer software. We detailed the vulnerability's exploitation mechanism and the importance of closing the 'Vulnerability Window', the period between vulnerability discovery and remediation.
A test was conducted with open-appsec/CloudGuard AppSec, revealing their ability to offer preemptive protection against this vulnerability, even before widespread awareness or remediation actions. This underscores the crucial role of advanced security systems in defending against zero-day threats.
open-appsec is an open-source project that builds on machine learning to provide pre-emptive web app & API threat protection against OWASP-Top-10 and zero-day attacks. It simplifies maintenance as there is no threat signature upkeep and exception handling, like common in many WAF solutions.
To learn more about how open-appsec works, see this White Paper and the in-depth Video Tutorial. You can also experiment with deployment in the free Playground.
