vulnerabilities Critical vulnerability exploit in GoAnywhere MFT Time to update Fortra GoAnywhere MFT: an exploit has been developed for a critical vulnerability that allows attackers to bypass authentication and create admin accounts. Alanna Titterington January 26, 2024 Researchers have analyzed the CVE-2024-0204 vulnerability in Fortra GoAnywhere MFT software (MFT standing for managed file transfer) and published exploit code that takes advantage of it. We explain the danger, and what organizations that use this software should do about it. Vulnerability CVE-2024-0204 in GoAnywhere MFT Let’s start by briefly recounting the story of this vulnerability in GoAnywhere. In fact, Fortra, the company developing this solution, patched this vulnerability back in early December 2023 with the release of GoAnywhere MFT 7.4.1. However, at that time the company chose not to disclose any information about the vulnerability, limiting itself to sending private recommendations to clients. The essence of the vulnerability is as follows. After a user completes initial setup of GoAnywhere, the product’s internal logic blocks access to the initial account setup page. Then when they attempt to access this page, they’re redirected either to the admin panel (if they’re authenticated as an administrator) or to the authentication page. However, researchers discovered that an alternative path to the InitialAccountSetup.xhtml file can be used, which the redirection logic does not take into account. In this scenario, GoAnywhere MFT allows anyone to access this page and create a new user account with administrator privileges. As proof of the attack’s feasibility, the researchers wrote and published a short script that can create admin accounts in vulnerable versions of GoAnywhere MFT. All an attacker needs is to specify a new account name, a password (the only requirement is that it contains at least eight characters, which is interesting in itself), and the path: Part of the exploit code for the CVE-2024-0204 vulnerability. Highlighted in red is the alternative path to the initial account setup page that enables the creation of users with administrator privileges In general, this vulnerability closely resembles that discovered in Atlassian Confluence Data Center and Confluence Server a few months ago; there, too, it was possible to create admin accounts in a few simple steps. Fortra assigned vulnerability CVE-2024-0204 “critical” status, with a CVSS 3.1 score of 9.8 out of 10. A little context is necessary here. In 2023, the Clop ransomware group already exploited vulnerabilities in Fortra GoAnywhere MFT and also similar products from other developers — Progress MOVEit, Accellion FTA, and SolarWinds Serv-U — to attack hundreds of organizations worldwide. In particular, companies such as Procter & Gamble, Community Health Systems (CHS, one of the largest hospital networks in the U.S.A.), and the municipality of Toronto suffered from the exploitation of the GoAnywhere MFT vulnerability. How to defend against CVE-2024-0204 exploitation The obvious way to protect against exploitation of this vulnerability is to update GoAnywhere MFT to version 7.4.1 immediately, which fixes the logic for denying access to the InitialAccountSetup.xhtml page. If you can’t install the update for some reason, you can try one of two simple workarounds: Delete the InitialAccountSetup.xhtml file in the installation folder and restart the service; or Replace InitialAccountSetup.xhtml with a blank file and restart the service. You should also use an EDR (Endpoint Detection and Response) solution to monitor suspicious activity in the corporate network. If your internal cybersecurity team lacks the skills or resources for this, you can use an external service to continuously hunt for threats to your organization and swiftly respond to them.
Read next Transatlantic Cable podcast, episode 331 Episode 331 of the Transatlantic Cable podcast takes a look at PalWorld, the biggest data breach of all time, swearing customer service chatbots & more.
Tips How to set up security and privacy in Strava Want to keep your runs, rides, and hikes private on Strava? This guide will walk you through the essential privacy settings in this popular fitness app.
Tips Run for your data: Privacy settings in jogging apps Running apps know a lot about their users, so it’s worth setting them up to ensure your data doesn’t fall into the wrong hands. Here’s how.
Tips When you get a login code for an account you don’t have What to do if you receive a text with a two-factor authentication code from a service you’ve never registered for.
Tips School and cyberthreats Why cybersecurity in education is critical, and how to protect schools from attacks.