Technology

Popular file transfer software has a seriously dangerous security bug that gives anyone free administrator rights — so patch it now to avoid another Moveit-like debacle

January 25, 2024

GoAnywhere Managed File Transfer (MFT), the program at the center of a major data reach scandal around a year ago, may have a new high-severity vulnerability which users should patch immediately to avoid more trouble.

Cybersecurity researchers Mohammed Eldeeb and Islam Elrfai from Spark Engineering Consultants discovered the flaw in December 2023, and disclosed it to GoAnywhere’s developer, Fortra.

It is described as a path traversal weakness, and tracked as CVE-2024-0204. It has a severity score of 9.8/10, making it critical.

A workaround is available, too

As explained by the researchers, as well as cybersecurity firm Horizon3.ai, which subsequently published a proof-of-concept (PoC) exploit, the vulnerability can be used to create a new administrator user for the tool:

“Authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal,” a new Fortra advisory reads.

“The easiest indicator of compromise that can be analyzed is for any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section,” Horizon3.ai security researcher Zach Hanley said. “If the attacker has left this user here you may be able to observe its last logon activity here to gauge an approximate date of compromise.”

Those who are unable to apply the patch at this time can apply a temporary workaround in non-container deployment – delete the InitialAccountSetup.xhtml file in the install directory and then restart the device. For container-deployed instances, Fortra recommends replacing the file with an empty one before restarting.

There is currently no evidence of the vulnerability being exploited in the wild, but with the news broken, and a PoC available, it’s only a matter of time before unpatched endpoints get targeted. Users should apply the patch immediately and avoid risking the integrity of their data.

Last year, a vulnerability in GoAnywhere resulted in sensitive data from almost 130 organizations being stolen.

Via TheHackerNews

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar