A critical vulnerability has been discovered in Fortra GoAnywhere MFT [3], a managed file transfer software [2]. This vulnerability allows unauthorized users to create new users [3], including administrator users [6], by exploiting an authentication bypass vulnerability [6]. The severity of this vulnerability is rated at 9.8 out of 10 [4] [5].
Description
Fortra privately notified customers about the vulnerability on December 7, 2023 [4], and released a patch [4]. However, they have recently made it public. They have warned their customers about the authentication bypass vulnerability and recommend applying mitigations immediately [1]. To address the issue [1], Fortra has released GoAnywhere MFT 7.4.1 [1]. Organizations using Fortra GoAnywhere MFT 6x from 6.0.1 and Fortra GoAnywhere MFT 7.4.0 and earlier are affected by this vulnerability.
The researchers from cybersecurity firm Horizon3’s Attack Team have also released a proof-of-concept exploit that demonstrates how this vulnerability can be exploited to create new admin users on vulnerable instances. The exploit is described as easy to use [4], and any attacker can scan the internet for vulnerable instances of GoAnywhere MFT to determine if they are susceptible to the exploit [4].
To mitigate the vulnerability, organizations are advised to delete the /InitialAccountSetup.xhtml endpoint and restart the service [1]. It is also recommended to monitor the admin users group in the GoAnywhere administrator portal for any unrecognized activity. This is an important step to detect any compromise resulting from the vulnerability.
Conclusion
It is worth noting that this vulnerability is similar to a previous exploit used by the Clop ransomware group against GoAnywhere MFT [2], which compromised data from numerous organizations [2], including a pediatric mental health provider [2]. The availability of the proof-of-concept exploit code may lead to hacking campaigns targeting unpatched GoAnywhere MFT instances [1]. Therefore, it is crucial for organizations to take immediate action to protect their systems and data.
References
[1] https://securityaffairs.com/158043/hacking/goanywhere-mft-cve-2024-0204-poc-exploit.html
[2] https://www.infosecurity-magazine.com/news/exploit-code-critical-fortra/
[3] https://thehackernews.com/2024/01/patch-your-goanywhere-mft-immediately.html
[4] https://www.darkreading.com/cyberattacks-data-breaches/fortra-discloses-critical-auth-bypass-vuln-in-goanywhere-mft
[5] https://www.crn.com/news/security/2024/fortra-waited-six-weeks-to-issue-advisory-on-critical-goanywhere-vulnerability
[6] https://www.tenable.com/blog/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-vulnerability
