CVE-2023-34362 - MOVEit Transfer SQL Injection

### CVE-2023-34362 - Critical SQL Injection vulnerability in MOVEit Transfer. #### Summary A critical vulnerability has been identified in MOVEit Transfer, a managed file transfer solution. The vulnerability affects versions prior to the latest release and involves improper input validation. Exploiting this vulnerability can lead to remote execution of arbitrary code, potentially resulting in unauthorized access and compromise of sensitive data. To mitigate the risk associated with this vulnerability, it is crucial for users to update to the latest version of MOVEit Transfer that includes necessary security patches. #### Affected Products | Affected Version | Fixed Version | Documentation | |-------------------------------|---------------------------|-------------------------------------| | MOVEit Transfer 2023.0.0 (15.0) | MOVEit Transfer 2023.0.1 | [MOVEit 2023 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2023/Upgrade/) | | MOVEit Transfer 2022.1.x (14.1) | MOVEit Transfer 2022.1.5 | [MOVEit 2022 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2022/Upgrade/) | | MOVEit Transfer 2022.0.x (14.0) | MOVEit Transfer 2022.0.4 | [MOVEit 2022 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2022/Upgrade/) | | MOVEit Transfer 2021.1.x (13.1) | MOVEit Transfer 2021.1.4 | [MOVEit 2021 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2021/Upgrade/) | | MOVEit Transfer 2021.0.x (13.0) | MOVEit Transfer 2021.0.6 | [MOVEit 2021 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2021/Upgrade/) | | MOVEit Transfer 2020.1.x (12.1) | Special Patch Available | See [KB 000234559](https://docs.ipswitch.com/MOVEit/2020/234559.htm) | | MOVEit Transfer 2020.0.x (12.0) or older | MUST upgrade to a supported version | See [MOVEit Transfer Upgrade and Migration Guide](https://docs.ipswitch.com/MOVEit/Transfer2021/UpgradeGuide/) | **This playbook should be triggered manually or can be configured as a job.** Please create a new incident and choose the CVE-2023-34362 - MOVEit SQL Injection playbook and Rapid Breach Response incident type. **The playbook includes the following tasks:** **IoCs Collection** - Blog IoCs download - Yara Rules download - Sigma rules download **Hunting:** - Cortex XDR XQL exploitation patterns hunting - Cortex Xpanse external facing instances hunting - Advanced SIEM exploitation patterns hunting - Indicators hunting The hunting queries are searching for the following activities: - ASPX file creation by w3wp.exe - IIS compiling binaries via the csc.exe on behalf of the MOVEit - Detects get requests to specific exploitation related files **Mitigations:** - Progress official CVE-2023-34362 patch - Progress mitigation measures - Detection Rules - Yara - Sigma **References:** [CVE-2023-34362: MOVEit Transfer SQL Injection Vulnerability Threat Brief](https://unit42.paloaltonetworks.com/threat-brief-moveit-cve-2023-34362/) [MOVEit Transfer Critical Vulnerability (May 2023)](https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023) Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

CVE-2023-34362 - MOVEit Transfer SQL Injection · 63 tasks · 8 inputs · 0 outputs

Inputs

  • PlaybookDescription — The playbook description to be used in the Rapid Breach Response - Set Incident Info sub-playbook.
  • autoBlockIndicators — Wether to block the indicators automatically.
  • QRadarTimeRange — The time range for the QRadar queries.
  • SplunkEarliestTime — The time range for the Splunk queries.
  • ElasticEarliestTime — The time range for the Elastic queries.
  • LogAnalyticsTimespan — The time range for the Azure Log Analytics queries.
  • XQLTimeRange — The time range for the XQL queries.
  • ElasticIndex — The elastic index to search in.

Commands used

azure-log-analytics-execute-query es-eql-search expanse-get-issues extractIndicators splunk-search xdr-xql-generic-query

Flowchart

Yes Yes Yes yes Yes yes Yes Yes yes Start Start Collect Indicators Collect Indicators Tag Indicators Tag Indicators Tag CVE Indicators - CreateNewIndicatorsOnly Tag CVE Indicators CreateNewIndicatorsOnly Threat Hunting Threat Hunting SIEM Advanced Hunting SIEM Advanced Hunting Is Splunk Enabled? Is Splunk Enabled? Is QRadar Enabled? Is QRadar Enabled? Set Rapid Breach Response Layout Set Rapid Breach Response... Rapid Breach Response - Set Incident Info - Rapid Breach Response - Set Incident Info Rapid Breach Response - S... Rapid Breach Response - Set I... Is Elasticsearch Enabled? Is Elasticsearch Enabled? Is Azure Log Analytics Enabled? Is Azure Log Analytics En... ASPX file creation by w3wp.exe - azure-log-analytics-execute-query ASPX file creation by w3w... azure-log-analytics-execute-q... ASPX file creation by w3wp.exe - splunk-search ASPX file creation by w3w... splunk-search ASPX file creation by w3wp.exe - es-eql-search ASPX file creation by w3w... es-eql-search Collect IoCs from Huntress - ParseHTMLIndicators Collect IoCs from Huntress ParseHTMLIndicators Tag IP Indicators - CreateNewIndicatorsOnly Tag IP Indicators CreateNewIndicatorsOnly ASPX file creation by w3wp.exe - QRadarFullSearch ASPX file creation by w3w... QRadarFullSearch Should continue with the investigation? Should continue with the ... Should block indicators automatically? Should block indicators a... Block Indicators - Generic v3 - Block Indicators - Generic v3 Block Indicators - Generi... Block Indicators - Generic v3 Handle indicators manually Handle indicators manually Investigate further Investigate further Done Done Remediation Remediation Mitigation Mitigation Progress mitigation measures Progress mitigation measures Patch vulnerable servers Patch vulnerable servers Deploy Yara and Sigma rules Deploy Yara and Sigma rules Indicators Hunting Indicators Hunting Resolution Resolution Download Sigma Rules Download Sigma Rules Download Huntress Yara rules - HttpV2 Download Huntress Yara rules HttpV2 MOVEit exploitation - HttpV2 MOVEit exploitation HttpV2 Download Yara Rules Download Yara Rules Collect IoCs from Progress - extractIndicators Collect IoCs from Progress extractIndicators Tag Domain Indicators - CreateNewIndicatorsOnly Tag Domain Indicators CreateNewIndicatorsOnly Tag File Indicators - CreateNewIndicatorsOnly Tag File Indicators CreateNewIndicatorsOnly Cortex XDR - XQL Hunting Queries Cortex XDR - XQL Hunting ... Is Cortex XDR - XQL Enabled? Is Cortex XDR - XQL Enabled? ASPX file creation by w3wp moveitdmz pool - xdr-xql-generic-query ASPX file creation by w3w... xdr-xql-generic-query IIS compiling binaries via the csc.exe on behalf of the MOVEit - azure-log-analytics-execute-query IIS compiling binaries vi... azure-log-analytics-execute-q... IIS compiling binaries via the csc.exe on behalf of the MOVEit - splunk-search IIS compiling binaries vi... splunk-search IIS compiling binaries via the csc.exe on behalf of the MOVEit - es-eql-search IIS compiling binaries vi... es-eql-search IIS compiling binaries via the csc.exe on behalf of the MOVEit - QRadarFullSearch IIS compiling binaries vi... QRadarFullSearch Detects get requests to specific exploitation related files - azure-log-analytics-execute-query Detects get requests to s... azure-log-analytics-execute-q... Detects get requests to specific exploitation related files - splunk-search Detects get requests to s... splunk-search Detects get requests to specific exploitation related files - es-eql-search Detects get requests to s... es-eql-search Detects get requests to specific exploitation related files - QRadarFullSearch Detects get requests to s... QRadarFullSearch IIS compiling binaries via the csc.exe on behalf of the MOVEit - xdr-xql-generic-query IIS compiling binaries vi... xdr-xql-generic-query Detects get requests to specific exploitation related files - xdr-xql-generic-query Detects get requests to s... xdr-xql-generic-query Detects file indicators of potential exploitation - HttpV2 Detects file indicators o... HttpV2 Detects get requests to specific exploitation related files - HttpV2 Detects get requests to s... HttpV2 Download Folrian Roth Yara rules - HttpV2 Download Folrian Roth Yar... HttpV2 Threat Hunting - Generic - Threat Hunting - Generic Threat Hunting - Generic Threat Hunting - Generic Cortex Hunting Cortex Hunting Cortex Xpanse Cortex Xpanse Is Cortex Xpanse Enabled? Is Cortex Xpanse Enabled? Search external facing MOVEit Transfer instances - expanse-get-issues Search external facing MO... expanse-get-issues Review possible vulnerable servers Review possible vulnerabl... Found servers using Prisma Cloud? Found servers using Prism... Collect IoCs from Unit42 - ParseHTMLIndicators Collect IoCs from Unit42 ParseHTMLIndicators Identify agents with MOVEit Transfer installed - xdr-xql-generic-query Identify agents with MOVE... xdr-xql-generic-query