GoAnywhere Managed File Transfer (MFT), the program at the center of a major data reach scandal around a year ago, may have a new high-severity vulnerability which users should patch immediately to avoid more trouble.
Cybersecurity researchers Mohammed Eldeeb and Islam Elrfai from Spark Engineering Consultants discovered the flaw in December 2023, and disclosed it to GoAnywhere’s developer, Fortra.
It is described as a path traversal weakness, and tracked as CVE-2024-0204. It has a severity score of 9.8/10, making it critical.
A workaround is available, too
As explained by the researchers, as well as cybersecurity firm Horizon3.ai, which subsequently published a proof-of-concept (PoC) exploit, the vulnerability can be used to create a new administrator user for the tool:
“Authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal,” a new Fortra advisory reads.
“The easiest indicator of compromise that can be analyzed is for any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section,” Horizon3.ai security researcher Zach Hanley said. “If the attacker has left this user here you may be able to observe its last logon activity here to gauge an approximate date of compromise.”
Those who are unable to apply the patch at this time can apply a temporary workaround in non-container deployment – delete the InitialAccountSetup.xhtml file in the install directory and then restart the device. For container-deployed instances, Fortra recommends replacing the file with an empty one before restarting.
There is currently no evidence of the vulnerability being exploited in the wild, but with the news broken, and a PoC available, it’s only a matter of time before unpatched endpoints get targeted. Users should apply the patch immediately and avoid risking the integrity of their data.
Last year, a vulnerability in GoAnywhere resulted in sensitive data from almost 130 organizations being stolen.
Via TheHackerNews