Fortra is warning of a new authentication bypass vulnerability impacting GoAnywhere MFT (Managed File Transfer) versions before 7.4.1 that allows an attacker to create a new admin user.
GoAnywhere MFT is used by organizations worldwide to secure transfer files with customers and business partners. It supports secure encryption protocols, automation, centralized control, and various logging and reporting tools that aid in legal compliance and auditing.
The newly disclosed flaw is tracked as CVE-2024-0204 and is rated critical with a CVSS v3.1 score of 9.8 as it is remotely exploitable, allowing an unauthorized user to create admin users via the product’s administration portal.
Creating arbitrary accounts with administrative privileges can lead to a complete device takeover. In the case of Go Anywhere MFT, that would allow attackers to access sensitive data, introduce malware, and potentially enable further attacks within the network.
The flaw impacts Fortra GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.4.0 and earlier and was fixed in GoAnywhere MFT 7.4.1, released on December 7, 2023. Fortra advises all users to install the latest update (currently 7.4.1) to fix the vulnerability.
Fortra also provides the following two manual mitigation pathways in the advisory:
- Delete the InitialAccountSetup.xhtml file in the installation directory and restart the services.
- Replace the InitialAccountSetup.xhtml file with an empty file and restart the services.
One thing to note is that CVE-2024-0204 was discovered on December 1, 2023, by Mohammed Eldeeb and Islam Elrfai from Spark Engineering Consultants. That said, significant time has passed since the initial disclosure.
Fortra has not clarified if the vulnerability is actively exploited or not. However, now that Fortra has released mitigations and a clue as to where to search for the bug, it would not be surprising if PoC exploits were released soon.
BleepingComputer has contacted the software vendor about whether it is actively exploited, but we have not heard back.
Clop GoAnywhere MFT attacks
In early 2023, it was revealed that the Clop ransomware gang had breached 130 companies and organizations by leveraging a critical remote code execution flaw in GoAnywhere MFT.
The flaw is tracked as CVE-2023-0669 and had been exploited as a zero-day vulnerability since January 18, 2023. Fortra discovered its exploitation on February 3, 2023, and released patches three days later.
Unfortunately, the damage had already been done, with Clop conducting widespread data theft attacks that impacted organizations worldwide, causing data leaks, reputational damage, and operational disruptions.
Some notable victims of those attacks include Crown Resorts, CHS, Hatch Bank, Rubrik, the City of Toronto, Hitachi Energy, Procter & Gamble, and Saks Fifth Avenue.
Fortra kept a cryptic stance towards press requests for details on the situation and only communicated the results of its internal investigation in mid-April 2023.
Considering the above, organizations using Fortra GoAnywhere MFT should apply the available security updates and recommended mitigations as soon as possible and scrutinize their logs for suspicious activity.