{"id":50344,"date":"2024-01-26T09:07:32","date_gmt":"2024-01-26T14:07:32","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=50344"},"modified":"2024-01-26T09:07:32","modified_gmt":"2024-01-26T14:07:32","slug":"exploit-authentication-bypass-vulnerability-goanywhere-mft","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/exploit-authentication-bypass-vulnerability-goanywhere-mft\/50344\/","title":{"rendered":"Critical vulnerability exploit in GoAnywhere MFT"},"content":{"rendered":"

Researchers have analyzed<\/a> the CVE-2024-0204 vulnerability in Fortra GoAnywhere MFT<\/em> software (MFT standing for managed file transfer) and published exploit code that takes advantage of it. We explain the danger, and what organizations that use this software should do about it.<\/p>\n

Vulnerability CVE-2024-0204 in GoAnywhere MFT<\/h2>\n

Let\u2019s start by briefly recounting the story of this vulnerability in GoAnywhere. In fact, Fortra, the company developing this solution, patched this vulnerability back in early December 2023 with the release of GoAnywhere MFT 7.4.1. However, at that time the company chose not to disclose any information about the vulnerability, limiting itself to sending private recommendations to clients.<\/p>\n

The essence of the vulnerability is as follows. After a user completes initial setup of GoAnywhere, the product\u2019s internal logic blocks access to the initial account setup page. Then when they attempt to access this page, they\u2019re redirected either to the admin panel (if they\u2019re authenticated as an administrator) or to the authentication page.<\/p>\n

However, researchers discovered that an alternative path to the InitialAccountSetup.xhtml file can be used, which the redirection logic does not take into account. In this scenario, GoAnywhere MFT allows anyone to access this page and create a new user account with administrator privileges.<\/p>\n

As proof of the attack\u2019s feasibility, the researchers wrote and published a short script that can create admin accounts in vulnerable versions of GoAnywhere MFT. All an attacker needs is to specify a new account name, a password (the only requirement is that it contains at least eight characters, which is interesting in itself), and the path:<\/p>\n

\"Part<\/a>

Part of the exploit code for the CVE-2024-0204 vulnerability. Highlighted in red is the alternative path to the initial account setup page that enables the creation of users with administrator privileges<\/p><\/div>\n

In general, this vulnerability closely resembles that discovered in Atlassian Confluence Data Center and Confluence Server a few months ago; there, too, it was possible to create admin accounts in a few simple steps.<\/p>\n

Fortra assigned vulnerability CVE-2024-0204<\/a> \u201ccritical\u201d status, with a CVSS 3.1 score of 9.8 out of 10.<\/p>\n

A little context is necessary here. In 2023, the Clop ransomware group already exploited vulnerabilities in Fortra GoAnywhere MFT and also similar products from other developers \u2014 Progress MOVEit<\/a>, Accellion FTA, and SolarWinds Serv-U \u2014 to attack hundreds of organizations worldwide. In particular, companies such as Procter & Gamble, Community Health Systems (CHS, one of the largest hospital networks in the U.S.A.), and the municipality of Toronto suffered from the exploitation of the GoAnywhere MFT vulnerability.<\/p>\n

How to defend against CVE-2024-0204 exploitation<\/h2>\n

The obvious way to protect against exploitation of this vulnerability is to update GoAnywhere MFT to version 7.4.1 immediately, which fixes the logic for denying access to the InitialAccountSetup.xhtml page.<\/p>\n

If you can\u2019t install the update for some reason, you can try one of two simple workarounds:<\/p>\n