Back in early 2023 a ransomware group stole data from over 100 organisations, including Rio Tinto and Shell, after exploiting a critical vulnerability in the widely used file sharing service Fortra GoAnywhere.
Now an exploit has been released for a fresh critical (CVSS 9.8) vulnerability in the managed file transfer (MFT) software. The authentication bypass vulnerability, CVE-2024-0204, allows an unauthenticated, remote attacker to create an administrative user.
Fortra quietly patched the new GoAnywhere vulnerability on December 7 with the release of GoAnywhere MFT 7.4.1. It only publicly disclosed it on January 22, 2024 after giving customers six weeks to patch quietly.
Customers were given details in a private customer advisory.
For those looking for a quick vuln check, requests to /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml for vuln return 200, patched return 401
— Zach Hanley (@hacks_zach) January 23, 2024
Now a detailed breakdown of the new Fortra GoAnywhere vulnerability, CVE-2024-0204, has been released by security firm Horizon3's Attack Team however – meaning any customers foolish enough to have not patched over the past few weeks are likely to come under attack in the near future.
The company has also published an exploit: Just 10 short lines of code.
(Fortra GoAnywhere is a "secure file transfer solution that organizations use to exchange their data safely" as the company puts it. Customers use it at enterprise scale: e.g. to share tens of thousands of documents weekly. The largest non-bank credit card company in the US, for example, uses it to share credit card details.)
When it comes to IOCs, it noted that logs for the database are stored at \GoAnywhere\userdata\database\goanywhere\log\*.log.
“These files contain transactional history of the database, for which adding users will create entries” – if an attacker does not expunge them.
GoAnywhere administrators who for whatever reason cannot upgrade promptly can mitigate by removing the attack vector.
- Delete the InitialAccountSetup.xhtml file in the installation directory and restart the services.
- Replace the InitialAccountSetup.xhtml file with an empty file and restarting the services.
Hopefully most GoAnywhere customers have learned a bitter lesson in 2023 and patched this critical pre-auth RCE promptly even though it was not yet reported as being exploited in the wild when the fix landed quietly in December. It can be strikingly easy to overlook security updates when running a large and complex suite of applications at enterprise scale however and there will no doubt be stragglers. With an exploit out in the open, this is likely a final warning before they get popped. Patch up!
Fortra credited Mohammed Eldeeb & Islam Elrfai, Spark Engineering Consultants with the vulnerability disclosure, which it describes as a CWE-425 Direct Request ('Forced Browsing') vulnerability type.
