A security vulnerability has been discovered in Fortra’s GoAnywhere managed file transfer (MFT) software, allowing unauthorized users to create a new admin user. The flaw, tracked as CVE-2024-0204, is a remotely exploitable authentication bypass flaw in the GoAnywhere MFT.
Fortra has issued a mitigation for the issue, recommending users to upgrade to versions 7.4.1 or higher to reduce the vulnerability’s impact. Additionally, users can remove the InitialAccountSetup.xhtml file from the installation directory and restart the service to further mitigate the risk.
The discovery of this vulnerability was initially shared on social media by researchers who were credited with finding and reporting the flaw. The company posted an internal security advisory regarding the vulnerability on December 4, 2023.
This is not the first time that GoAnywhere MFT has been targeted by malicious actors. Last year, the software was exploited by the Russian-speaking digital extortion group Clop, who used a zero-day vulnerability to breach numerous high-profile organizations, including Rio Tinto, Hitachi Energy, Procter & Gamble, and Munich RE.
The incident involving Clop was the beginning of a series of file transfer software hacking events, including a mass data exfiltration against Progress Software’s MOVEit secure file transfer software.
According to Zach Hanley, Chief Attack Engineer at Horizon3.ai, file transfer software has become a lucrative target for ransomware hackers due to the lack of monitoring for malicious traffic and the exposure of administrative interfaces to the open internet. Hanley described the exploit as taking advantage of a configuration error common in the Apache Tomcat runtime environment for Java, allowing attackers to force path traversal attacks by inserting special characters.
Acunetix, an application security testing firm, explained that the flaw occurs when developers combine Tomcat with a reverse proxy, allowing for path traversal. The attacker uses special characters to force GoAnywhere into calling the initial account setup wizard, bypassing a filter meant to stop the wizard from activating after the initial setup.
Hanley emphasized the complexity of the issue, stating that developers ideally should reject URLs containing the special characters from executing in Tomcat environments. However, in some cases, developers may not have control over inspecting the URLs due to the use of different frameworks in the data flow.
He also described the issue as “really, really complicated,” indicating that addressing the vulnerability requires a deep understanding of the underlying technical complexities.
The discovery of the CVE-2024-0204 vulnerability in Fortra’s GoAnywhere MFT highlights the ongoing challenges faced by organizations in securing their file transfer software against sophisticated cyber threats. It also underscores the importance of timely software updates and proactive mitigation measures to reduce the risk posed by such vulnerabilities.