Using GoAnywhere MFT for file transfers? Patch now – an exploit's out for a critical bug

Security experts are wasting no time in publishing working exploits for a critical vulnerability in Fortra GoAnywhere MFT, which was publicly disclosed just over a day ago.

Customers were first advised by Fortra on the mitigations for the critical authentication bypass hole in December, and it wasn't publicly revealed for more than a month.

Researchers from Horizon3 used the clues left behind in Fortra's public advisory, published on January 22, to develop a working exploit and demonstrate how new admin users could be created by unauthenticated attackers.

The exploit targets the vulnerable InitialAccountSetup.xhtml endpoint mentioned in Fortra's January advisory to initiate the admin account setup page. The vulnerability, tracked as CVE-2024-0204, is remotely exploitable and has attracted a 9.8 severity rating.

Horizon3's exploit takes advantage of age-old path traversal weaknesses in Tomcat-based applications where requests to vulnerable endpoints that contain /..;/ allow attackers to access forbidden pages, such as the admin account creation page in GoAnywhere MFT.

If remote attackers exploit the same path traversal technique when submitting the form to create a new admin user, the account will be created, giving the bad guys admin privileges.

The Register approached Fortra for a statement on the vulnerability and emerging exploit, but it did not respond at the time of writing.

Zach Hanley, chief attack engineer at Horizon3, said the clearest indicator of compromise would be noticing any new additions to the Admin Users group in the GoAnywhere MFT admin portal.

"If the attacker has left this user here you may be able to observe its last logon activity to gauge an approximate date of compromise."

Database logs will also contain transaction histories, meaning traces of any new admin accounts that were created can be found there, he added.

Affected versions of GoAnywhere MFT include 6.x from 6.0.1 and 7.x before 7.4.1, so it's a good idea to upgrade to at least version 7.4.1 in order to keep successful attacks at bay.

If patches can't be applied immediately for whatever reason, Fortra suggests deleting the InitialAccountSetup.xhtml file in non-container deployments and restarting the services. For container-deployed instances, replacing the file with an empty one and restarting services should mitigate the issue.

According to internet traffic analysis biz Greynoise, there have been no detected exploit attempts thus far – a point Fortra echoed to wider media – but with publicly available proof of concept code now available, it's only a matter of time before exploit attempts start amassing in the near future.

Fortra itself is loud and proud about how some of the most critical data in the world is transferred using its software. Government entities and critical infrastructure organizations like energy companies, for example, rely on GoAnywhere MFT, meaning successful exploits could lead to the theft of significant data.

Industry watchers have highlighted the ease with which the vulnerability can be exploited and the potential for ransomware or extortion attacks is also evident given the nature of the vulnerability and the history of attacks on MFT.

Infosec news lovers will remember the security disaster Fortra suffered with GoAnywhere MFT last year when cybercrime outfit Clop began exploiting a zero-day to extort more than 130 companies, claiming some high-profile scalps in the process.

Hitachi Energy, Proctor and Gamble, and IT biz Rubrik were among the headline victims of an attack that was one of the most significant of the year. It was also one that exemplified ransomware crims' switch to extortion-only attacks – a trend that gathered steam towards the back end of 2022 and really picked up in 2023.

• Clop ransomware gang leaks online what looks like stolen Bombardier blueprints of GlobalEye radar snoop jet
• Brave browser leaks visited Tor .onion addresses in DNS traffic, fix released after bug hunter raises alarm
• When are we gonna stop calling it ransomware? It's just data kidnapping now
• LockBit victims in the US alone paid over $90m in ransoms since 2020

But it wasn't the first of Clop's extortion-only attacks. In 2020, it started targeting users of Accellion's file-sharing software to steal data, holding it to ransom. High-profile victims were also caught up in the incident, including IBM's lawyers Jones Day, aerospace giant Bombardier, Morgan Stanley, Shell, and a smorgasbord of US universities, among many others.

Fortra's latest incident was first disclosed to customers in a private advisory as far back as December 4, according to information shared by Mohammed Eldeeb, one of the researchers who discovered CVE-2024-0204.

In disclosing the incident privately, Fortra was likely looking to avoid a repeat of last year's Clop incident, giving customers an extensive window to ensure they're patched up before attackers got their hands on a working exploit. 

Clop's attacks on GoAnywhere MFT began almost a year ago exactly in January 2023, with proof concept code published online a day before Fortra could release its patch in early February.

Given that Horizon3 published its exploit within hours of Fortra publicly disclosing the issue, perhaps the decision to withhold disclosure wasn't such a bad idea. ®