Fortra Discloses Critical Auth Bypass Vuln in GoAnywhere MFT
PoC exploit code for flaw is publicly available, heightening breach risks for users of the managed file-transfer technology.
January 24, 2024
A proof-of-concept exploit is now available for a near maximum-severity flaw in Fortra's GoAnywhere Managed File Transfer (MFT) software that the company publicly disclosed on Jan. 23 after quietly informing customers about the threat almost seven weeks ago.
The release of the exploit means mass attacks targeting the flaw are almost certain to begin soon. According to telemetry that Tenable analyzed, less than 4% of GoAnywhere MFT assets appear to be fixed versions, meaning more than 96% are at significantly heightened risk of compromise.
Last year, the Cl0p ransomware group exploited a remote code injection bug in GoAnywhere (CVE-2023-0669) — initially as a zero-day — to deploy ransomware on systems belonging to more than 130 organizations, including Procter & Gamble, Hitachi Energy, the city of Toronto, Community Health Systems, and Hatch Bank.
Authentication Bypass Flaw
The newly disclosed CVE-2024-0204 is an authentication bypass vulnerability that affects Fortra GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.x before 7.4.1. The vulnerability allows an unauthenticated remote attacker to bypass typical authentication checks and create new user accounts, including those with administrator-level privileges. Fortra has assigned the vulnerability a severity score of 9.8, which is close to the maximum possible 10 on the CVSS severity scoring scale.
Fortra privately informed customers about the vulnerability on Dec. 7, 2023, and issued a patch for it, after two bug hunters reported the issue to the company. Following Fortra's disclosure of the bug on Jan. 23, researchers from Horizon3.ai published a proof-of-concept exploit for CVE-2024-0204 along with indicators of compromise (IoCs) and technical details of the bug. The exploit demonstrates how an attacker can abuse the vulnerability to add an administrative user on vulnerable instances of GoAnywhere MFT.
"The easiest indicator of compromise that can be analyzed is for any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section," Horizon3.ai said. "If the attacker has left this user here you may be able to observe its last logon activity here to gauge an approximate date of compromise."
Trivial to Exploit
James Horseman, exploit developer at Horizon3.ai, described the new vulnerability as trivial to exploit. "An attacker can easily scan the Internet for instances of GoAnywhere MFT using Shodan or a similar tool," he says. "After that, any attacker can easily try the exploit to determine if the instance is vulnerable."
Thousands of organizations currently use GoAnywhere MFT to manage ad hoc and batch file transfers in what the company describes as a secure, fully encrypted, and auditable fashion. The company has described users of GoAnywhere as ranging from small organizations to Fortune 500 companies, nonprofits, and government agencies.
Managed file transfer technologies such as GoAnywhere are a treasure trove of information for attackers, says Scott Caveza, senior research engineer at Tenable, which has published a blog post on CVE-2024-0204. "[The products are] typically used by organizations as a quick and easy way to share information with customers, partners, and internal stakeholders," Caveza notes. "Sensitive information is likely to be found on these systems, making them a very attractive target."
The Cl0p ransomware group's attack on the GoAnywhere MFT flaw from 2023 (CVE-2023-0669) was one of the most visible manifestations of that interest. The attacks prompted the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to include the vulnerability in a June 2023 advisory on the Cl0p ransomware threat.
Caveza says it was not just the Cl0p gang that targeted the flaw. "While the Cl0p ransomware variant gained the most attention and was widely used, we've seen reports from various third parties to suggest that BlackCat (ALPHV) and LockBit may have also exploited CVE-2023-0669 as well," he says. "It's likely these other groups began their exploitation after the vulnerability was publicly known."
Giving Customers Time to Patch
Fortra's decision to delay public disclosure of the new bug by several weeks almost certainly stemmed from an effort to give customers an opportunity to patch the issue before attackers began jumping all over it. The company attracted some flak last year for the way it handled communications regarding CVE-2023-0669. In fact, it wasn't until cybersecurity news site Krebs on Security posted Fortra's advisory on the bug that most people even learned about the threat.
"We've observed vendors who have taken the approach of privately disclosing to their customers before making a public advisory, which has had mixed success," Caveza says. "On one hand, it gives your customers the chance to apply a patch or mitigation before details are public. On the other hand, the lack of transparency could affect public image."
It's a sentiment that Horseman shares. By delaying disclosure, an organization gives customers time to mitigate and prepare. "On the other hand, users may not feel the urgency to patch without the public disclosure," Horseman says. "Patching can disrupt business operations and requires pre-planning. By delaying public disclosure, vendors are withholding information from users that can be used when determining when to patch."
About the Author
You May Also Like