Fortra has issued a warning about a new authentication bypass vulnerability that affects versions of GoAnywhere MFT (Managed File Transfer) prior to 7.4.1. This vulnerability allows attackers to create new administrator accounts, posing a significant threat to organizations worldwide that rely on GoAnywhere MFT for secure file transfer with clients and business partners. GoAnywhere MFT offers encryption protocols, automation, centralized control, and various logging and reporting tools to facilitate compliance and audits.
The newly discovered vulnerability, identified as CVE-2024-0204, is classified as critical with a CVSS v3.1 score of 9.8, as it can be exploited remotely. It enables unauthorized users to create administrator accounts through the product’s administrative panel. The creation of arbitrary accounts with administrator privileges can result in complete device takeover. In the case of GoAnywhere MFT, this can allow attackers to gain access to sensitive data, introduce malicious software, and potentially launch further network attacks.
This vulnerability affects GoAnywhere MFT versions 6.x from 6.0.1 onwards, as well as GoAnywhere MFT 7.4.0 and earlier versions. It has been addressed in the release of GoAnywhere MFT 7.4.1, which was issued on December 7, 2023. Fortra strongly recommends that all users install the latest update (currently 7.4.1) to eliminate the vulnerability.
Furthermore, Fortra provides two temporary solutions in their publication:
– Remove the InitialAccountSetup.xhtml file from the installation directory and restart the services.
– Replace the InitialAccountSetup.xhtml file with an empty file and restart the services.
It is worth noting that CVE-2024-0204 was discovered on December 1, 2023, by Mohammed Eldeeba and Islam Elrfai’a from Spark Engineering Consultants. However, a significant amount of time has passed since the initial disclosure.
Fortra has not clarified whether the vulnerability is actively being exploited or not. It is possible that after Fortra’s release of mitigation measures and bug hunting guidelines, proof-of-concept exploits may emerge soon.
Previously, in 2023, a ransomware group called Clop exploited a critical remote code execution vulnerability in GoAnywhere MFT to target 130 companies and organizations. There have been numerous victims of these attacks, including Crown Resorts, CHS, Hatch Bank, Rubrik, City of Toronto, Hitachi Energy, Procter & Gamble, and Saks Fifth Avenue. Therefore, organizations using GoAnywhere MFT should promptly apply available security updates and recommended mitigations, while thoroughly analyzing their logs for suspicious activity.
FAQ section based on the main topics and information presented in the article:
1. What vulnerability was discovered in the GoAnywhere MFT system?
– The discovered vulnerability relates to authentication bypass and allows attackers to create new administrator accounts.
2. What is the classification of this vulnerability?
– The vulnerability is classified as critical, with a CVSS v3.1 score of 9.8.
3. What are the consequences of exploiting this vulnerability?
– The creation of arbitrary accounts with administrator privileges can result in complete device takeover, allowing attackers to access sensitive data, introduce malicious software, and launch further network attacks.
4. Which versions of the GoAnywhere MFT system are affected by this vulnerability?
– The vulnerability affects GoAnywhere MFT versions 6.x from 6.0.1 onwards, as well as GoAnywhere MFT 7.4.0 and earlier versions.
5. How can one protect against this vulnerability?
– To eliminate the vulnerability, it is recommended to install the latest update (currently 7.4.1) of the GoAnywhere MFT system.
6. What are the available temporary solutions?
– Fortra offers two temporary solutions: removing the InitialAccountSetup.xhtml file from the installation directory and restarting the services, or replacing the InitialAccountSetup.xhtml file with an empty file and restarting the services.
7. When was the vulnerability discovered and by whom?
– The vulnerability was discovered on December 1, 2023, by Mohammed Eldeeba and Islam Elrfai’a from Spark Engineering Consultants.
8. Is the vulnerability actively being exploited?
– It is unclear whether the vulnerability is actively being exploited.
9. Has this vulnerability been exploited in attacks before?
– Previously, in 2023, a ransomware group called Clop exploited the vulnerability in the GoAnywhere MFT system to target 130 companies and organizations.
10. Which organizations should promptly apply security updates?
– Organizations using the GoAnywhere MFT system should promptly apply security updates and recommended mitigations while analyzing their logs for suspicious activity.
Definitions of terms and jargon:
1. GoAnywhere MFT – A file transfer management system that offers encryption protocols, automation, centralized control, and logging and reporting tools.
2. Vulnerability – A weakness or flaw in a system that can be exploited by an attacker to compromise security.
3. Authentication – The process of verifying the identity of a user or device before granting access to specific resources.
4. Administrator account – A user account with the highest privileges that has full control over a system or application.
5. CVSS v3.1 – The Common Vulnerability Scoring System, version 3.1, which provides a rating scale for vulnerability severity, assessing their impact on a system and their exploitability.
6. PoC (proof of concept) – A demonstration of the theoretical exploitation of a vulnerability to prove its feasibility.
Suggested relevant links to the main domain:
– GoAnywhere MFT Homepage
– GoAnywhere MFT Information
The source of the article is from the blog lisboatv.pt