Initiatives for
    
    As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
      
     
                  Reference:
Advisory #2024-96
Version:
1.0
Affected software:
Progress MOVEit Gateway 2024.0.0
Progress MOVEit Transfer from 2023.0.0 before 2023.0.11
Progress MOVEit Transfer from 2023.1.0 before 2023.1.6
Progress MOVEit Transfer from 2024.0.0 before 2024.0.2
Type:
Authentication Bypass
CVE/CVSS:
CVE-2024-5805 :CVSS 9.1(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVE-2024-5806 :CVSS 9.1(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
https://community.progress.com/s/article/MOVEit-Gateway-Critical-Security-Alert-Bulletin-June-2024-CVE-2024-5805
https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806
Progress has issued two advisories for authentication bypass vulnerabilities in Progress MOVEit Transfer and Gateway products. These vulnerabilities could allow an unauthorized actor to gain access to the server. Unauthorized access could be used to further compromise your environment and deploy ransomware.
CVE-2024-5805 and CVE-2024-5806 are rated as CRITICAL with HIGH impact on the CIA triad.
A Proof of Concept (POC) exploiting these vulnerabilities is available. Shadowserver has reported seeing active scanning for this vulnerability.
Authentication bypass vulnerabilities such as CVE-2024-5805 and CVE-2024-5806 are often quickly weaponized by ransomware actors as seen with previous vulnerabilities in MOVEit software.
CVE-2024-5805 is an authentication vulnerability in the Progress MOVEit Gateway SFTP module. Similarly CVE-2024-5806 is an authentication vulnerability in the Progress MOVEit Transfer SFTP module.
Both vulnerabilities result in an authentication bypass allowing attackers to gain access to the system without valid credentials.
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
If immediate patching is not possible in your environment, Progress has described mitigation steps in their advisory.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/
https://www.rapid7.com/blog/post/2024/06/25/etr-authentication-bypasses-in-moveit-transfer-and-moveit-gateway/
https://x.com/Shadowserver/status/1805676078620401831
https://www.ccb.belgium.be/advisories/warning-critical-actively-exploited-unauthenticated-remote-code-execution-0-day