This vulnerability could lead to escalated privileges and potential unauthorized access to the environment. This post provides an overview of steps you can take to protect your organization and your third-party network. We also summarize our investigation and mitigation efforts as they relate to Whistic.
The vulnerability is an SQL injection vulnerability. OWASP describes this as consisting of insertion or “injection” of an SQL query via the input data from a client to the application. In other words, where the application is expecting an SQL query, a person may insert SQL code designed to do something other than what was expected.
Severity and impact
If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to protect your MOVEit Transfer environment. As of this writing, NIST has not completed analysis of this vulnerability and has not assigned it a severity rating. Progress Community states that all versions of MOVEit Transfer are affected by this vulnerability.
Response Step 1: Determine if you are at risk
All versions of MOVEit Transfer are affected.
The following products are not susceptible to this SQL injection vulnerability in MOVEit Transfer:
- MOVEit Automation
- MOVEit Client
- MOVEit Add-in for Microsoft Outlook
- MOVEit Mobile
- WS_FTP Client
- WS_FTP Server
- MOVEit EZ
- MOVEit Gateway
- MOVEit Analytics
- MOVEit Freely
At this time, no action is necessary for the products listed above.
To assess whether your third parties are vulnerable, customers can access the MOVEit Transfer Vulnerability questionnaire in the Whistic platform under our Questionnaire Standards Library.
Response Step 2: Detailed action list
The following steps are recommended to help prevent successful exploitation of this vulnerability:
- Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment
- Delete unauthorized files and user accounts and reset service account credentials
- Patch supported MOVEit Transfer versions. Apply the patch found here.
- Verify by following the second bullet again — if indications of compromise are found, reset service account credentials again
- Enable HTTP and HTTPs traffic in your MOVEit Transfer environment
- Conduct continuous monitoring of network, endpoints, and logs for indicators of compromise
For more detail on this process, follow the steps at Progress Community titled “Recommended Remediation”, which also includes additional security best practices.
Does this affect Whistic?
As a result of our investigation, we have determined that this vulnerability does not directly impact Whistic.