back to article Third MOVEit bug fixed a day after PoC exploit made public

Progress Software on Friday issued a fix for a third critical bug in its MOVEit file transfer suite, a vulnerability that had just been disclosed the day earlier. Details of the latest vulnerability, tracked as CVE-2023-35708, were made public Thursday; proof-of-concept (PoC) exploit for the flaw, now fixed today, also emerged …

  1. Kevin McMurtrie Silver badge

    This may never end

    One SQL injection vuln might be a mistake or forgotten old prototyping. Three found in a row makes me think that the whole codebase is "do-over" grade.

    1. sitta_europea Silver badge

      Re: This may never end

      Not sure all three were SQL injection but the whole thing starts to remind me of something Lady Bracknell said.

      1. Anonymous Coward
        Terminator

        Re: This may never end

        > Not sure all three were SQL injection but the whole thing starts to remind me of something Lady Bracknell said

        It say in the main article that all three were SQL injection vulnerability. Just who or what did they get to write the app. In this day and age.

      2. Ball boy Silver badge

        Re: This may never end

        Okay, so one SQL injection issue was found. As said, that could have been a hang-over from testing or something. Not good but mistakes happen.

        Then a second is found. Surely that would ring alarm bells and someone should have thought: 'damn, we better check the rest of the code to see if any more were left in there'. Was that entirely logical rear-guard action simply overlooked or isn't their client base important enough to them to justify assigning resources to looking? How companies respond to problems is often what defines a business relationship and, well, there's clearly some questions that remain unanswered!

        1. Anonymous Coward
          Terminator

          Re: This may never end

          Ball boy: "Okay, so one SQL injection issue was found .. Not good but mistakes happen."

          The software “engineer” couldn't figure-out how to achieve the same functionality without constructing an SQL statement locally and then passing it back to the server as a URL.

  2. Ball boy Silver badge

    'Safeguard their identity'? How, exactly?

    "Similarly, Louisiana's Office of Motor Vehicles warned that all residents with a state-issued ID, drivers license, or car registration likely had their name, addresses, social security number, birthdate, height, eye color, license number, vehicles registration, and handicap placard info exposed.

    "There is no indication at this time that cyber attackers who breached MOVEit have sold, used, shared or released the OMV data obtained from the MOVEit attack," the Louisiana agency said. "The cyber attackers have not contacted state government. But all Louisianans should take immediate steps to safeguard their identity."

    Does this mean any worried Louisianans should sell their car, move home, get a new driving license and SSN issued and then switch their date of birth and eye color, perfect a limp and wear heels? I'm not sure if I'm joking or not - but that glib 'take steps to safeguard your identity' line has all the makings of a farce.

    1. sitta_europea Silver badge

      Re: 'Safeguard their identity'? How, exactly?

      Absolutely right.

      The people who haven't safeguarded the identity information that they've forced people to hand over to them should all be taken out behind the bike sheds and put out of my misery.

      1. Anonymous Coward
        Anonymous Coward

        Re: 'Safeguard their identity'? How, exactly?

        The responsibility of safeguarding PII rests where it belongs: squarely on the shoulders of the victims of gubmint incompetence.

    2. Dagg Silver badge

      Re: 'Safeguard their identity'? How, exactly?

      How, exactly?

      Easy, this is America, buy more guns buy bigger Guns... Need more be said.

      1. Dagg Silver badge

        Re: 'Safeguard their identity'? How, exactly?

        Looks like someone doesn't understand sarcasm...

    3. Anonymous Coward
      Anonymous Coward

      Re: 'Safeguard their identity'? How, exactly?

      Seems like most times some company or agency has bungled security and let citizen/customer/etc. data out into the wild, their best advice to "safeguard [our] identity" is some amount of "free" (hah) credit report monitoring or some such thing.

      As if the likes of Equifax, Experian, and TransUnion really have our best interests in mind.

      And, if memory serves, have occasionally had security issues of their own.

      Bloody bleak, innit?

  3. mikus

    Now that they know, they'll bust it up to eternity. These "secure file transfer" gateways are always a racket, use a properly secure means.

    If you buy a suite like moveit, hire someone to tell you to stop.

  4. Steve Kerr

    Automating internal attacks

    Only a passing comment.

    You would think if you have software that is written to be public internet facing that they would an internal set of automation tools that continually attempts to exploit their own software

    So you would have a segregated network where you would use the same sort of tools that miscreants would use and then coninually attempt attacks at a variety of supported versions of your software.

    I know if I was running a software vendor, I would do something like this.

    For some internal software in the past, I have done things to try to break it though people moaned about why i was doing this - I said, we need to understand what will happen to all the interconnected components if something goes wrong, e.g. someone accidently deletes the contents of a table in a DB or services fail or servers fail.

    Basically, test it into destuction - it's also a fun thing to do and it means that when it goes live to customers you've tried to minimise the chances of failure, though people can be quite good at breaking things by accident!

    1. Anonymous Coward
      Anonymous Coward

      Re: Automating internal attacks

      Why, that almost sounds like testing things before throwing up and over the wall into production. Surely that's a violation of "release early, release often", "move fast and break things", and other pithy devoops sayings and practices?

  5. Brewster's Angle Grinder Silver badge

    Value Subtract?

    Can someone tell me what the hell this software does and why you need it?

    1. cookieMonster
      Trollface

      Re: Value Subtract?

      Re why it’s needed: A golf invitation and a show?

      (For a big deal add hookers and blow)

    2. iron

      Re: Value Subtract?

      Fancy sounding FTP but without the security.

      /s

      FTP is not secure, do not use FTP or this shite.

      1. CrazyOldCatMan Silver badge

        Re: Value Subtract?

        FTP is not secure

        But can be made so (use of ssl, ftp/s and all that jazz). Better than a festering pile of closed-source commercial crap with multiple *known* vulnerabilities (and how many others left to find?).

        Difficult to scale, yes. But to say it's not secure it wrong - in its default state sure - but no sysop should *ever* put stuff into production in its default state.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like