MOVEit Transfer: Updates close high-risk security gaps

Manufacturer Progress closes three security gaps in the MOVEit Transfer software with a service pack in September. Two of them are considered high risk. Since MOVEit Transfer has been targeted by cybercriminals in the past, IT managers should apply the updates quickly.

Advertisement

Authenticated attackers can abuse a SQL injection vulnerability in the machine interface to gain unauthorized access to the MOVEit Transfer database and read or modify data (CVE-2023-42660, CVSS 8.8, high risk). A similar gap can also be found in the software’s web interface. A system administrator could use a SQL injection vulnerability to use crafted requests to reveal or modify content from the database (CVE-2023-40043, CVSS 7.2, high).

MOVEit Transfer: Three security holes closed

A third vulnerability is described in the Progress service pack announcement as a cross-site scripting vulnerability. During a so-called package composition procedure, users could be given manipulated content in the web interface, which could lead to the execution of malicious Javascript in the user context (CVE-2023-42656, CVSS 6.1, medium).

The security-related bugs include the updated versions MOVEit Transfer 2021.1.8 (13.1.8), 2022.0.8 (14.0.8), 2022.1.9 (14.1.9) and 2023.0.6 (15.0.6). Anyone using older versions up to and including MOVEit Transfer 2021.0.x (13.0.x) should migrate to a version that is still supported. In the announcement, the Progress developers link instructions and downloads for the updated packages.

A few months ago, the cyber gang Cl0p abused a security hole in MOVEit Transfer to copy sensitive data from numerous companies. Since then, the criminal organization has been blackmailing the victims. These include numerous well-known companies, such as Ernst&Young, PricewaterhouseCoopers, Schneider Electric and Siemens Energy.

(dmk)

To the home page
#MOVEit #Transfer #Updates #close #highrisk #security #gaps