Security Advisory SSA-1705
Ipswitch MOVEit Transfer aka MOVEit DMZ SQL-Injection
Reference ID: SSA-1705Publication date: 18.05.2017
Severity: critical
Discovered by: Andreas Schmidt
Affected products/versions: MOVEit Transfer 2017 < 9.0.201 MOVEit DMZ < 8.3.0.30, < 8.2.0.20, < 8.2.X
A SQL-Injection vulnerability has been identified in the moveitisapi.dll of the MOVEit Transfer product of ipswitch. The overall impact this vulnerability depends on the type and configuration settings of the database. The MOVEit Transfer product ships with a MySQL database. But it can also be configured to use a MSSQL DB. By default it is configured to use the MySQL DB. The default user rights of the DB user ‘moveitdmz’ are also very limited, e.g. it is not possible to perform any actions on the filesystem like ‘select into outfile’. By default the exploitation of the vulnerability is further limited because no query stacking is possible and the injection location resides within a select query. So no modifications of DB tables are possible, thus no combinations of the DB commands like select and insert are possible.
Despite these limitations of the default installation, it is possible to download nearly every exchanged file without a valid account (pre-auth). Even if client- certificate authorization has been enabled, the vulnerable function can still be reached.
On installations which have a weak DB configuration this vulnerability might lead to code-execution or to a full compromise of the system.
References:
siberas text version
CVE-2017-6195
IPSWITCH Security Bulletin