Has anyone else noticed that the MOVEit Vulnerability looks at the uninstall key in the registry and the patched the vendor provided are just side loaded dlls that don’t increment this value.
What are people’s thought about modifying that value to match what is installed and satisfy this alert?
I have noticed that as well. I submitted a case to Rapid7 this morning about this. It would require deleting or modifying(as you said) the registry entry or marking it a false positive(not in favor).
Yeah, I have an open ticket as well
As mentioned, our checks for MOVEit are looking for updated registry keys when the version has been updated.
Since the initial response, the vendor has added an additional remediation option of side loading patched dll files, which fixes the vulnerability, but does not bump the version in the registry.
Unfortunately, this results in the false positives you are experiencing.
For us to attempt to rectify this, would result in massive performance implications for all scans, and something at this time we do not believe adds enough value to warrant the performance degradation.
As a result, the best options remaining are to upgrade rather than side load the dll, manually update the registry, or put in place an exception until such time as you are able to perform an update. This first option here is the safest option, however if you are happy that the risk has been removed, then the other 2 options will remove this false positive result.