1. Introduction
The Progress MOVEit Transfer FTP Detection indicates that the FTP server component of Progress MOVEit Transfer is present on a remote host. This matters because MOVEit Transfer has been subject to recent, significant security incidents involving data breaches. Systems affected are typically those used for secure file transfer between organisations and their partners. A successful attack could compromise confidentiality, integrity, and availability of transferred files.
2. Technical Explanation
The detection identifies the presence of an FTP server associated with Progress MOVEit Transfer. This plugin does not determine the version installed. An attacker gaining access to a vulnerable MOVEit Transfer instance could potentially exploit known vulnerabilities in the FTP service, leading to unauthorised data access or modification. There is no specific CVE currently associated with simply running the FTP server; however, exploitation of other MOVEit components has been observed. For example, an attacker might attempt brute-force attacks against weak credentials used for FTP access.
- Root cause: The presence of the MOVEit Transfer FTP service exposes a potential attack surface.
- Exploit mechanism: An attacker could use standard FTP tools to connect and attempt to list directories or download files without authorisation, if authentication is bypassed or weak credentials are used.
- Scope: Systems running Progress MOVEit Transfer (formerly Ipswitch MOVEit DMZ) with the FTP server enabled.
3. Detection and Assessment
Confirming the presence of the FTP service is the primary assessment step. Further investigation into the version installed is recommended, though this plugin does not provide it.
- Quick checks: Check running processes for ‘moveitftp’ or similar using task manager or command line tools.
- Scanning: Nessus plugin ID 16894 can identify the FTP service. This should be considered an example only as detection capabilities may vary.
- Logs and evidence: Review application logs for entries related to FTP connections, authentication attempts, and file transfer activity. Specific log paths will depend on MOVEit Transfer configuration.
ps aux | grep moveitftp4. Solution / Remediation Steps
The primary remediation step is to disable the unnecessary FTP service if it’s not required for business operations.
4.1 Preparation
- Ensure you have administrator credentials to access and modify the MOVEit Transfer configuration. A roll back plan is to restore from the pre-change snapshot/backup.
- A change window may be required depending on service dependencies and impact assessment. Approval from the IT security team might be needed.
4.2 Implementation
- Step 1: Log in to the MOVEit Transfer administration console.
- Step 2: Navigate to the configuration settings for FTP access.
- Step 3: Disable the FTP server service.
- Step 4: Save the changes and restart the MOVEit Transfer service.
4.3 Config or Code Example
Before
FTP Enabled: YesAfter
FTP Enabled: No4.4 Security Practices Relevant to This Vulnerability
Several security practices can help mitigate risks associated with MOVEit Transfer and similar file transfer solutions.
- Practice 1: Least privilege – limit access to the MOVEit Transfer server and its components to only those users who require it.
- Practice 2: Secure defaults – configure MOVEit Transfer with strong default settings, including password complexity requirements and multi-factor authentication where possible.
4.5 Automation (Optional)
Automation is not generally suitable for this specific remediation step without detailed knowledge of the MOVEit Transfer API or configuration management tools.
5. Verification / Validation
- Post-fix check: Run `ps aux | grep moveitftp` and confirm there are no processes matching ‘moveitftp’.
- Re-test: Re-run Nessus plugin ID 16894 to verify that it no longer detects the FTP service.
- Smoke test: Verify that any other MOVEit Transfer functionality still works as expected (e.g., SFTP access, web interface).
- Monitoring: Monitor application logs for unexpected errors or connection attempts related to FTP.
ps aux | grep moveitftp6. Preventive Measures and Monitoring
Regular security assessments and configuration reviews can help prevent similar issues.
- Baselines: Update a security baseline or policy to include requirements for disabling unnecessary services like FTP on MOVEit Transfer servers.
- Pipelines: Implement static code analysis (SCA) during deployment to identify insecure configurations in infrastructure-as-code templates.
- Asset and patch process: Establish a regular patch review cycle for MOVEit Transfer and its components.
7. Risks, Side Effects, and Roll Back
Disabling the FTP service may impact users or applications that rely on it.
- Risk or side effect 2: Potential compatibility issues with older systems that only support FTP. Mitigation: Investigate alternative secure file transfer methods.
- Roll back: Step 1: Log in to the MOVEit Transfer administration console. Step 2: Navigate to the configuration settings for FTP access. Step 3: Re-enable the FTP server service. Step 4: Save the changes and restart the MOVEit Transfer service.
8. References and Resources
Links to official resources related to Progress MOVEit Transfer.
- Vendor advisory or bulletin: https://www.progress.com/moveit
- NVD or CVE entry: No specific CVE for FTP service presence, but refer to entries related to MOVEit Transfer vulnerabilities.
- Product or platform documentation relevant to the fix: https://docs.progress.com/moveit-transfer