MOVEit SQL Injection Vulnerability
SonicWall Capture Labs Threat Research Team has observed the following threat:
MOVEit provides secure collaboration and automated file transfers of sensitive data and advanced workflow automation capabilities without the need for scripting. Encryption and activity tracking enable compliance with regulations such as PCI, HIPAA and GDPR. MOVEit can be accessed via an API or the provided web interface that can be accessed over HTTPS.
A SQL injection vulnerability has been reported for MOVEit Transfer. This vulnerability is due to flawed input validation sent to the endpoints “/moveitsapi.dll” and “/guestaccess.aspx”.
A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. A successful attack may result in arbitrary SQL command execution against the database on the target server.
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-34362.
Common Vulnerability Scoring System (CVSS):
The overall CVSS score is 8.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).
Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is none.
• Scope is unchanged.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is high.
• Impact of this vulnerability on data availability is high.
Temporal score is 8.5 (E:U/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is unproven.
• The remediation level of this vulnerability is official fix.
• The report confidence level of this vulnerability is confirmed.
This vulnerability is due to flawed input validation sent to the endpoints “/moveitsapi.dll” and “/guestaccess.aspx”. The “/moveitisapi/moveitisapi.dll” will process requests with a parameter named action with a value “m2”. When processing such a request the server expects the “X-siLock-Transaction “(case-sensitive) header to be set to “folder_add_by_path” to process the request, The server will then pass the request to “/machine2.aspx”. The “/machine2.aspx” resource is meant to be used internally by various MOVEit components to manage “high speed” file transfers.
However, if the string “X-siLock-Transaction: folder_add_by_path” is found in another header the “/moveitisapi/moveitisapi.dll” resource will continue to process the request and pass it to “/machine2.aspx”. The “/machine2.aspx” resource will then process the request based on the value of the actual “”XsiLock-Transaction” header. An attacker can set the “X-siLock-Transaction” header value to “session_setvars” which will lead to the SetAllSessionVarsFromHeaders() method of the SILHttpSessionWrapper class to be called. The SetAllSessionVarsFromHeaders() method will process each HTTP header with the name “X-siLockSessVar” (case-sensitive) and attempt to set the associated HTTP session variable related to the value of the header.
For example the header:
X-siLock-SessVar: MyPkgSelfProvisionedRecips: email@example.com
This will set the session variable MyPkgSelfProvisionedRecips, which controls the recipients of a data package, to the value “firstname.lastname@example.org”. When a guest user is in the process of sending a data package a request can be sent to the “/machine2.apsx” endpoint via “/moveitisapi/moveitisapi.dll” that will update the value of session variables. Then when the final data package is sent via form submission to the “/guestaccess.aspx” endpoint the updated session variables will be used allowing an attacker to update the recipients email address to contain SQL injection characters.
When the form is submitted the method GetHTML() loads the updated session variables and calls the MsgPostForGuest() method from the class MOVEit.DMZ.ClassLib.MsgEngine. The method will call the UserGetSelfProvisionUserRecipsWithEmailAddress() method from the MOVEit.DMZ.ClassLib.UserEngine class which will then call the UserGetUsersWithEmailAddress() method. The UserGetUsersWithEmailAddress() method will build an SQL statement by concatenating the updated recipient email address to the query string without performing any sanitation and then execute the SQL query.
Triggering the Problem:
• The target system must have the vulnerable product installed and enabled.
• The attacker must have network connectivity to the affected ports.
• The attacker must be able to register as a guest user and be able to send a data package
An attacker requests to register as a guest user and send a data package. The attacker then sends a request to update the session variables. Finally the attacker sends a request to send the data package. The vulnerability is triggered when the server processes the request.
The following application protocols can be used to deliver an attack that exploits this vulnerability:
SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:
• IPS:15883 Progress MOVEit SQL Injection
The risks posed by this vulnerability can be mitigated or eliminated by:
• Filtering traffic based on the signature above.
• Upgrading the product to a non-vulnerable version.
The vendor has released the following advisory regarding this vulnerability: