As a security analyst, it is crucial to stay updated with the latest security vulnerabilities that impact various software solutions. In this analysis, we will focus on CVE-2023-35708, a critical security vulnerability affecting MoveIT, a popular file transfer and secure collaboration platform. This vulnerability poses a significant risk to organizations using MoveIT, potentially leading to unauthorized access, data leakage, or system compromise. This analysis aims to provide insights into the nature of CVE-2023-35708 and its potential impact on MoveIT deployments.

CVE-2023-35708: Vulnerability Description and Impact:

CVE-2023-35708 is a remote code execution vulnerability discovered in MoveIT version 2.1.5 and earlier. This vulnerability allows an attacker to execute arbitrary code on a MoveIT server remotely. By exploiting this vulnerability, an attacker can gain unauthorized access to the system, potentially compromising sensitive data, escalating privileges, or even causing a complete system compromise.

The vulnerability stems from a flaw in the input validation mechanism of MoveIT, which fails to properly sanitize user-supplied input. An attacker can exploit this weakness by sending specially crafted requests to the affected server, thereby executing malicious code on the targeted system. As a result, the attacker can gain control over the server and carry out a range of malicious activities, such as accessing, modifying, or exfiltrating sensitive data stored within MoveIT.

Mitigation and Recommended Actions:

To mitigate the risks associated with CVE-2023-35708, organizations using affected versions of MoveIT should take immediate action. Here are several recommended steps to address this vulnerability:

Update to the latest patched version: The first and foremost action is to update MoveIT to a version that includes a fix for CVE-2023-35708. The vendor has released a security patch or an updated version that addresses the vulnerability. Organizations must ensure they promptly apply the patch or upgrade their MoveIT installation to a secure version. See: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023

Implement network segmentation: To limit the potential impact of a successful exploitation, organizations should consider implementing network segmentation. By segregating MoveIT servers from critical internal systems and limiting access to only necessary connections, the attack surface can be significantly reduced. This can help contain the potential damage and prevent lateral movement within the network in the event of a successful attack.

Conduct thorough security assessments: It is crucial to conduct thorough security assessments, including vulnerability scans and penetration tests, to identify any existing vulnerabilities or weaknesses within MoveIT deployments. This proactive approach allows organizations to identify and address any additional security concerns beyond CVE-2023-35708, ensuring a robust security posture for their MoveIT infrastructure.

Conclusion:

CVE-2023-35708 poses a critical security risk to organizations using affected versions of MoveIT. The remote code execution vulnerability enables attackers to gain unauthorized access to the system and potentially compromise sensitive data. To mitigate this risk, it is essential for organizations to promptly update MoveIT to a secure version, implement network segmentation, and conduct comprehensive security assessments. By taking these recommended actions, organizations can protect their MoveIT deployments and minimize the potential impact of CVE-2023-35708 on their overall security posture.

Ripple20 was originally discovered by Israel-based security company JSOF in September 2019. It affects a lightweight, proprietary TCP/IP library created by a small company in Ohio called Treck, which has issued a patch for the vulnerabilities. Several of those vulnerabilities would allow for remote-code execution, allowing for data theft, malicious takeovers and more, said the security vendor.

When you’re dealing with threats to the TCP/IP stack, you’re talking about the fundamental networking core of these devices

That, however, isn’t the end of the problem. The TCP/IP library that contains the vulnerabilities has been used in a huge range of connected devices, from medical devices to industrial control systems to printers, and actually delivering and applying the patch is a vast undertaking. JSOF said that “hundreds of millions” of devices could be affected. Many devices don’t have the capacity to receive remote patches, and Terry Dunlap, co-founder of security vendor ReFirm Labs, said that there are numerous hurdles to getting patches onto older equipment in particular.

“How many of these devices are sitting in some closet covered with five years of dust that hasn’t been touched by human hands?” he said. “When you’re dealing with threats to the TCP/IP stack, you’re talking about the fundamental networking core of these devices.”

Even discovering whether or not a company’s networks are affected by the flaws can be a challenge, according to Brian Kime, a senior analyst at Forrester Research.

“Network vulnerability scanners have challenges in detecting flaws in those libraries,” he said. “[The flaws aren’t] really advertised, sitting there, waiting for a connection to be made from outside.”

“It’s gonna be tough to fix the actual devices,” Kime said. “Bceause it’s embedded and because these vendors don’t advertise all the software components that go into their devices, [companies] probably won’t be able to identify just by looking at the vendor website.”

Efforts are already under way to patch affected devices, but it’s a mammoth task, involving dozens upon dozens of companies at every level of the supply chain. Business will have to work closely with vendors, their suppliers and on down the chain just to identify their potential exposure to Ripple20.

For those vendors and OEMs with the option, Dunlap suggested that there are alternative options available. Instead of using a proprietary TCP/IP library, companies could make use of one of the numerous open source options available.

“I don’t understand what a proprietary stack is going to get you over the open source stack that’s already out there,” he said.

The silver lining is that there’s no indication that it’s being exploited in the wild at this point. That may change, as bad actors react to its being made public and develop potential exploits, but they still might have a difficult time taking advantage of Ripple20, according to Dunlap.

Many of the most critical pieces of equipment that could be targeted using these vulnerabilities are not visible to the Internet at large and don’t have a direct connection to it. So while an infrastructure attack a la Stuxnet is possible, it would have to be delivered in much the same way – via “sneakernet” and an infected USB stick or another traditional malware delivery technique.

“A lot of these embedded systems that are vulnerable to this aren’t public facing,” he said. “They might be on an intranet, and if a company was the victim of a sophisticated phishing attack, that could open the door to an intruder.”

JSOF’s official post on the matter contains additional specifics about what devices might be affected, which could offer a starting point to companies looking to avoid a breach.