INSIDE THIS ARTICLE
The MOVEit software included an SQL injection vulnerability that has been exploited to take over the systems and steal data. TitanFile does not use MOVEit and has secure software development processes in place to ensure its software is free from such vulnerabilities.
What is MOVEit?
MOVEit is a secure file transfer solution created by Ipswitch, a subsidiary of Progress Software Corporation based in the United States. The solution enables enterprises to safely transfer files between various stakeholders, including business partners and customers, utilizing protocols such as SFTP, SCP, and HTTP-based uploads.
The solution provides two options for deployment: an on-premise solution – MOVEit Transfer, where the customer manages the system internally, and a cloud-based Software-as-a-Service (SaaS) platform – MOVEit Cloud, which is managed by the developer. This allows organizations to choose the deployment model that best suits their requirements and preferences.
Thousands of organizations around the world are using MOVEit today to share confidential data.
About the MOVEit zero-day data breach
On May 31st, Progress published an advisory that warned of a critical SQL injection vulnerability in its MOVEit Transfer and MOVEit Cloud solutions. This vulnerability has been named CVE-2023-34362 and would allow unauthorized criminals to gain access to MOVEit Transfer and MOVEit Cloud databases of versions released prior to May 31st, 2023.
Based on the database engine in use (MySQL, Microsoft SQL Server, or Azure SQL), the vulnerability makes it possible for an attacker to gain insight into the structure and data within the database, as well as execute SQL statements that can modify or delete elements of the database.
On June 9th and June 15th, Progress Software disclosed its second and third SQL injection vulnerabilities, later named CVE-2023-35036 and CVE-2023-35708 respectively. Both of these vulnerabilities allowed attackers to submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
To date, a number of organizations whose supply chains use MOVEit products have fallen victim to a data breach and have had their data compromised.
What is SQL injection?
SQL injection is a type of cybersecurity vulnerability that occurs when an attacker injects malicious SQL (Structured Query Language) code into a web application’s database query. It takes advantage of improper input validation or inadequate sanitization of user-supplied data.
Here’s a general overview of how SQL injection works:
- User input: A web application allows users to input data, such as through a form field or URL parameter.
- Constructing SQL queries: The application takes the user input and constructs an SQL query dynamically, typically concatenating strings of SQL code with the user-supplied data.
- Malicious input: An attacker submits specially crafted input, which includes SQL code instead of expected data.
- Exploiting the vulnerability: If the application does not properly validate or sanitize the input, the malicious SQL code becomes part of the query executed by the database.
- Unauthorized access or manipulation: The injected SQL code can modify the intended behavior of the query, allowing the attacker to perform various unauthorized actions. This could include extracting sensitive data, modifying or deleting records, or executing arbitrary commands on the database server.
SQL injection attacks can have severe consequences, such as unauthorized data disclosure, data loss or corruption, privilege escalation, or even complete compromise of the application and underlying systems.
How to prevent SQL injection attacks
To safeguard your applications and the data they handle, it’s crucial to implement robust defenses against SQL injections.
Below, we will explore some best practices and techniques to protect your applications from SQL injection vulnerabilities.
1. Use secure software development methodology
Secure development methodology, also known as secure software development life cycle (SDLC), is an approach to software development that incorporates security principles and practices throughout the entire development process. It focuses on identifying and mitigating security risks from the early stages of development to the deployment and maintenance phases.
Adopting a secure development methodology can help prevent SQL injections and other security vulnerabilities through:
- Threat modeling
- Secure coding practices
- Secure code review and testing
- Security training and awareness
- Ongoing maintenance and updates.
2. Educate developers and test for OWASP Top 10
The OWASP Top 10 is a list of the most critical security risks faced by web applications. It is created and maintained by the Open Web Application Security Project (OWASP), a non-profit organization dedicated to improving software security. The OWASP Top 10 provides guidance on common vulnerabilities and helps developers prioritize security measures.
The OWASP Top 10 list includes various types of vulnerabilities, and SQL injection is one of them. By understanding and addressing the recommendations provided by OWASP, developers can prevent SQL injection attacks as well as other common attacks.
3. Enforce user input validation
User input validation is the process of verifying and sanitizing the data entered by users before it is processed or stored by an application. This means that the input data format, type, duration, and range need to be validated in order for them to meet the desired criteria.
By ensuring that the user-supplied data is not infected with any malware capable of changing the structure or behavior of SQL queries, user input validation has a vital role to play in stopping SQL injection attacks.
4. Use middleware to sanitize SQL queries
In the context of web development, middleware refers to a software component or layer that sits between the application and the server/database. It provides a set of functions or routines that enable communication and data processing between different components of a software system. Middleware acts as a bridge, facilitating interactions and enhancing the functionality of the application.
When it comes to sanitizing SQL queries, middleware can intercept incoming user input before it reaches the database. It can apply validation checks to ensure that the input adheres to the expected format and data types. Additionally, middleware can sanitize the input by removing or escaping characters that could potentially alter the SQL query structure and inject malicious code.
5. Perform static code analysis
Static code analysis is a technique used in software development to examine the source code of a program without executing it. It involves analyzing the codebase for potential issues, errors, or vulnerabilities, with the goal of improving code quality, identifying bugs, and enhancing security.
By utilizing static code analysis tools, you can detect SQL injection vulnerabilities and patch them before they are exploited.
6. Undergo routine vulnerability testing
Vulnerability testing, also known as vulnerability assessment or security testing, is a process of evaluating software systems or applications to identify security weaknesses, vulnerabilities, and potential attack vectors. It involves systematic testing techniques to identify and assess vulnerabilities in order to mitigate risks and improve the overall security of the system.
In the context of preventing SQL injection attacks, vulnerability testing plays a crucial role by identifying and addressing potential vulnerabilities such as the MOVEit vulnerability before they can be exploited.
7. Undergo external penetration testing (pentesting)
External penetration testing, often referred to as a pentest, is a security assessment conducted by external security experts to identify vulnerabilities and assess the security posture of an organization’s network, systems, or applications. It involves simulating real-world attack scenarios to identify potential weaknesses and provide recommendations for improving overall security.
When it comes to preventing SQL injections, external penetration testing can play a vital role by identifying vulnerabilities and providing insights on how to mitigate them.
Does the MOVEit Breach Impact TitanFile?
TitanFile does not use MOVEit and has secure software development processes in place to ensure that its software is free from SQL injection vulnerabilities.
TitanFile utilizes robust measures to prevent SQL injection attacks. It enforces user input validation and employs industry-leading security middleware to sanitize all database SQL queries, ensuring that malicious code cannot be injected. By performing static code analysis, TitanFile proactively screens for vulnerabilities in its codebase.
Furthermore, TitanFile prioritizes security by subjecting its system to annual external penetration testing conducted by a competent third party. This comprehensive pentest includes both manual and automated testing, specifically targeting the OWASP Top 10 vulnerabilities, which encompasses SQL injection. This rigorous testing helps ensure that TitanFile maintains a strong security posture and remains resilient against potential SQL injection threats.
Learn more about TitanFile’s security infrastructure.
References and Resources:
- Progress. “MOVEit: Managed File Transfer Software.” Accessed on June 22nd, 2023. Available at: https://www.progress.com/moveit
- Progress. “MOVEit Transfer and MOVEit Cloud Vulnerability.” Accessed on June 22nd, 2023. Available at: https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability
- National Vulnerability Database (NVD). “CVE-2023-34362.” Accessed on June 22nd, 2023. Available at: https://nvd.nist.gov/vuln/detail/CVE-2023-34362
- National Vulnerability Database (NVD). “CVE-2023-35036.” Accessed on June 22nd, 2023. Available at: https://nvd.nist.gov/vuln/detail/CVE-2023-35036
- National Vulnerability Database (NVD). “CVE-2023-35708.” Accessed on June 22nd, 2023. Available at: https://nvd.nist.gov/vuln/detail/CVE-2023-35708
- OWASP. “SQL Injection.” Accessed on June 22nd, 2023. Available at: https://owasp.org/www-community/attacks/SQL_Injection