Advisory January 24, 2024

Critical CVE-2024-0204

The Obrela Threat Intelligence Team

Critical CVE-2024-0204 in Fortra’s GoAnywhere MFT

On January 22, 2024, Fortra issued a security advisory regarding a critical security flaw (CVE-2024-0204) in its GoAnywhere Managed File Transfer (MFT) software. This vulnerability allows unauthorized users to exploit an authentication bypass, potentially leading to the creation of administrator accounts. The severity of the issue is underscored by its CVSS score of 9.8 out of 10.

Technical Details

GoAnywhere MFT stands as a pivotal web-based managed file transfer solution, designed to facilitate secure file transfers among organizations and their partners, while also maintaining comprehensive audit logs to track all interactions with shared files. Discovered by Mohammed Eldeeb and Islam Elrfai of Spark Engineering Consultants in December 2023, this vulnerability stems from a path traversal weakness in the “/InitialAccountSetup.xhtml” endpoint.

Affected Products

  • Fortra GoAnywhere MFT 6.x from 6.0.1
  • Fortra GoAnywhere MFT 7.x before 7.4.1

Exploitation

  • Horizon3.ai, a cybersecurity firm, published a proof-of-concept (PoC) exploit, highlighting the risk of creating administrative users through this weakness.
  • There is currently no evidence of active exploitation.
  • A similar flaw (CVE-2023-0669) in GoAnywhere MFT was exploited by the Clop ransomware group last year, affecting over 100 organizations.

Recommended Actions

  1. Upgrade to Version 7.4.1: Users are strongly urged to upgrade their GoAnywhere MFT installations to version 7.4.1 or higher to mitigate the identified vulnerability.
  2. Temporary Workarounds: For those unable to immediately upgrade, temporary workarounds are available:
    • Non-container deployments: Delete the InitialAccountSetup.xhtml file in the install directory and restart services.
    • Container-deployed instances: Replace the file with an empty equivalent and restart services.
  3. Monitoring for Compromises: Exercise heightened vigilance by monitoring the Admin Users group in the GoAnywhere administrator portal for any unanticipated additions. Additionally, observe last logon activity to gauge the potential date of compromise.

References