While BigFix does not currently offer patch coverage on this product, you should be able to identify whether your systems could be affected by checking for ‘MOVEit Transfer’ in the following product areas:
BigFix Inventory, using the “Package Data” report
The “Application Information (Windows)” Analysis in the “BES Inventory and License” site from the Console, and the associated Web Reports
We added this to the Known Exploited Vulnerabilities Content Pack as well, with a fixlet to specifically audit systems for these vulnerabilities.
This vulnerability is reported in the CyberFOCUS Web Report if you have the KEV Content Pack. It also appears in CVE Search Dashboard.
As of 6/16/2023 we have published 2 detection fixlets in Updates for Windows Applications
It seems to report itself as version “15.0.2.49” even though in the download url it is “2023.0.2” - Can anyone confirm how it reports in the windows registry uninstall key in terms of DisplayName and DisplayVersion?
Would be helpful to share results from the following session relevance:
unique values whose(it as lowercase contains "moveit") of values of results of bes properties whose(name of it as lowercase contains "Installed Applications - Windows" as lowercase)
Seems like the DisplayName contains MOVEit Transfer
I think this is the correct relevance for detection of CVE-2023-35036 :
exists (it as string as version) whose( (it = "15" AND it < "15.0.2") OR (it = "14.1" AND it < "14.1.6") OR (it = "14.0" AND it < "14.0.5") OR (it = "13.1" AND it < "13.1.5") OR (it = "13.0" AND it < "13.0.7") OR (it = "12.1" AND it < "12.1.9") OR (it < "12.1") ) of values "DisplayVersion" of keys whose(value "DisplayName" of it as string as lowercase contains "MOVEit Transfer" as lowercase) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries; x32 registries)
The new CVE published today would be detected with:
exists (it as string as version) whose( (it = "15" AND it < "15.0.3") OR (it = "14.1" AND it < "14.1.7") OR (it = "14.0" AND it < "14.0.6") OR (it = "13.1" AND it < "13.1.6") OR (it = "13.0" AND it < "13.0.8") OR (it = "12.1" AND it < "12.1.10") OR (it < "12.1") ) of values "DisplayVersion" of keys whose(value "DisplayName" of it as string as lowercase contains "MOVEit Transfer" as lowercase) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries; x32 registries)
I would expect this to be added to Updates for Windows Applications soon.
Also, apparently I can’t spell. (this was not a surprise to me) So spelling mistakes will also be corrected in an upcoming publish.
Also, it seems I was missing as lowercase in the fixlets, which @itsmpro92 pointed out, but it seems I forgot to update the fixlet itself to reflect that, even though I updated the forum post. The GitHub copies have been fixed, the currently published fixlet needs to be fixed as well.
If you have grabbed a copy from GitHub make sure you grab it again to get the fixes.
If you think this may be useful, refer to the following link to my GitHub to find a Scan Task and an Analysis to process the results. Depending on feedback, if you find this useful we may consider adding to our content library.
The associated Analysis from the GitHub repo will retrieve the results of the scan. Expected false-positives are ignored & not reported in the Analysis. (It is normal for the raw scan results to have false-positives based on YARA signatures matching against themselves, i.e. matching the actual signature file, the script that generates the signature file in the action.fxf file, and references to the signature in ActionHistory.db).
Be aware that the scan is executed with no throttling, and by default scans against all local hard drives. This particular YARA scan should be targeted only to those machines that actually have MOVEit installed, and when scanning multiple systems be sure to stagger the scans over time, especially for scanning across VMs or systems with shared storage.
For help on actually downloading the files from GitHub, see Tips: Downloading files from GitHub
Once downloaded, these can be added to a Custom Site using the ‘File->Import’ function in the BigFix Console.
I created a fixlet to block HTTP and HTTPS incoming traffic on port 80 and port 443 if MOVEit Transfer is installed, which is one of the first mitigation strategies to take. See here: