GoAnywhere MFT

Patch now! Fortra GoAnywhere MFT vulnerability exploit available

A new vulnerability in Fortra GoAnywhere MFT now has exploit code available that allows an attacker to create a new admin user.

On January 22, 2024, software company Fortra warned customers about a new authentication bypass vulnerability impacting GoAnywhere MFT (Managed File Transfer) that allows an attacker to create a new admin user.

Fortra GoAnywhere MFT is a file transfer solution that organizations use to exchange their data. Some of the organizations that use GoAnywhere MFT are considered vital infrastructure such as local governments, financial companies, healthcare organizations, energy firms, and technology manufacturers.

The flaw impacts Fortra GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.4.0 and earlier.

Customers should either install the latest update (now at 7.4.1) to fix the vulnerability, or eliminate the vulnerability in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. For additional information, see this advisory for customers (registration required).

By handing out these specific instructions it was to be expected that exploit code would come sooner rather than later. And, indeed, researchers were quick to analyze the flawed file and come up with an exploit and Proof-of-Concept (PoC) code.

Fortra told BleepingComputer earlier that there have been no reports of attacks exploiting this vulnerability. This might change quickly now that exploit code is readily available. To find out if your instance was compromised you should look for any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section. Any new and unknown administrative users indicate a compromise and the login date will give you an idea about the time of compromise.

You can also look at the logs for the database which are stored at \GoAnywhere\userdata\database\goanywhere\log\*.log. These files contain a transactional history of the database, adding users will create entries in that log.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. This vulnerability is listed as:

CVE-2024-0204: Authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.

Basically it’s a path traversal flaw that allow attackers to read, and write to, restricted files by inputting path traversal sequences like ../ or /..;/ into file or directory paths.

If the mention of the name of Fortra GoAnywhere sent shivers down your security sensors, you may have been reminded of the exploitation by the Clop ransomware gang of a vulnerability in the same software last year.

Despite several warnings about last year’s vulnerability, a great many victims were made even after the patch was available.

Let’s hope we are capable of learning from the mistakes we made in the past.