Home / Threat Intelligence bulletins / Proof-of-Concept released for GoAnywhere Managed File Transfer Remote Auth Bypass

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Severity Level – High (CVSSv3 base score of 9.8): This vulnerability poses a significant risk, potentially leading to unauthorised administrative access and control over the GoAnywhere Managed File Transfer (MFT) platform.

Fortra has disclosed a critical authentication bypass vulnerability in its GoAnywhere MFT software, identified as CVE-2024-0204. This vulnerability was discovered by Mohammed Eldeeb and Islam R Alater and publicly reported on 22nd January 2024. It affects GoAnywhere MFT versions 6.x from 6.0.1 and 7.x before 7.4.1.

This vulnerability allows an unauthenticated, remote attacker to bypass authentication controls and create new users with administrative privileges. The root cause of this vulnerability is classified as CWE-425: Forced Browsing, a weakness where a web application does not properly enforce authorisation on restricted URLs, scripts, or files.

This situation echoes a previous incident in early 2023 where a different vulnerability in GoAnywhere MFT (CVE-2023-0669) was exploited by the Cl0p ransomware group, affecting numerous organisations.

Impact

Exploitation of this vulnerability allows remote attackers to bypass authentication mechanisms, enabling them to create administrative users. This unauthorised access could lead to full control over the MFT platform, jeopardising the integrity and confidentiality of sensitive data handled by the software.

With administrative access, attackers can potentially access, modify, or delete sensitive data. This poses a severe threat to organisations handling confidential information, including financial, personal, and health data.

Vulnerability Detection

Fortra has released an update to address the CVE-2024-0204 vulnerability. Organisations using GoAnywhere MFT should check their current software version against the affected versions – specifically, Fortra GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.x before 7.4.1. If their version predates the 7.4.1 release, they are vulnerable to this exploit.

Additionally, organisations should inspect the Admin Users group in the GoAnywhere administrator portal for any unfamiliar or unexpected additions. New, unknown administrative users could indicate a compromise.

Containment, Mitigations & Remediations

Effective security strategies to protect against exploitation include implementation of network segmentation to limit the reach of potential attackers within the network. Access to the GoAnywhere MFT system should be restricted to essential personnel and systems only.

Additionally, increase monitoring of network traffic and system logs for unusual activities that might indicate an exploit attempt. Set up alerts for any unexpected changes in the administrative users or configurations within the GoAnywhere MFT environment.

Indicators of Compromise

Look for signs of path traversal in web server logs, such as sequences like ../ or /..;/ in URL requests, which are typical of this type of vulnerability.

Unusual log entries, especially those related to administrative user activities or system configuration changes, should be scrutinised. Specific attention should be given to the GoAnywhere MFT logs located in \GoAnywhere\userdata\database\goanywhere\log\*.log, as they contain a transactional history of the database.

Threat Landscape

GoAnywhere MFT, a prominent player in the managed file transfer market, has increasingly become a focal point for cybercriminal activity. This is primarily due to its widespread use in critical infrastructure sectors, including healthcare, finance and government. The software’s role in handling sensitive data makes it an attractive target for threat actors.

Threat Group

As of the current information available, no specific threat group has been definitively linked to the exploitation of the CVE-2024-0204 vulnerability in Fortra’s GoAnywhere MFT. However, the nature of the vulnerability and the historical context of similar exploits suggest that advanced persistent threat (APT) groups and ransomware gangs could potentially leverage this vulnerability.

Further Information

Quorum Cyber GoAnywhere MFT zero-day exploit bulletin