A proof-of-concept exploit for a near maximum-severity flaw in Fortra’s GoAnywhere Managed File Transfer (MFT) software was recently released, which the company disclosed publicly on January 23 after informing customers about the threat almost seven weeks ago. This development indicates that mass attacks targeting the vulnerability are likely to start soon.
According to telemetry analyzed by Tenable, less than 4% of GoAnywhere MFT assets appear to be fixed versions, leaving more than 96% at significantly heightened risk of compromise. Last year, the Cl0p ransomware group exploited a remote code injection bug in GoAnywhere to deploy ransomware on systems of over 130 organizations, including Procter & Gamble, Hitachi Energy, the city of Toronto, Community Health Systems, and Hatch Bank.
The newly disclosed CVE-2024-0204 is an authentication bypass vulnerability that affects Fortra GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.x before 7.4.1. This flaw allows an unauthenticated remote attacker to bypass typical authentication checks and create new user accounts, including those with administrator-level privileges. With a severity score of 9.8, it is close to the maximum possible 10 on the CVSS severity scoring scale. Fortra privately informed customers about the vulnerability on December 7, 2023, and issued a patch for it after two bug hunters reported the issue to the company.
Following Fortra’s disclosure of the bug, researchers from Horizon3.ai published a proof-of-concept exploit for CVE-2024-0204 along with indicators of compromise (IoCs) and technical details of the bug. This exploit demonstrates how an attacker can abuse the vulnerability to add an administrative user on vulnerable instances of GoAnywhere MFT.
Horizon3.ai has stated that the easiest indicator of compromise that can be analyzed is for any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section. For organizations using GoAnywhere MFT, this exploit poses a significant threat to their data security.
James Horseman, an exploit developer at Horizon3.ai, described the new vulnerability as trivial to exploit. With an attacker’s ability to easily scan the internet for instances of GoAnywhere MFT, detecting vulnerable systems becomes significantly easier.
Fortra’s GoAnywhere MFT is used by thousands of organizations to manage ad hoc and batch file transfers, ranging from small businesses to Fortune 500 companies, nonprofits, and government agencies. Managed file transfer technologies such as GoAnywhere are seen as a treasure trove of information for attackers, with an abundance of sensitive data likely to be found on these systems.
The Cl0p ransomware group’s attack in 2023 was a clear example of the serious potential for exploiting GoAnywhere MFT vulnerabilities. The attacks prompted the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to include the vulnerability in a June 2023 advisory on the Cl0p ransomware threat. Other cybercriminal groups, such as BlackCat (ALPHV) and LockBit, have also possibly exploited the vulnerabilities in the past.
Fortra’s decision to delay the public disclosure almost certainly stemmed from an effort to give customers an opportunity to patch the issue before attackers exploited it. However, this approach has drawn criticism as it could affect Fortra’s public image due to the lack of transparency. By delaying disclosure, vendors are withholding information from users that can be used to determine when to patch.
In conclusion, the exploit for the near maximum-severity flaw in Fortra’s GoAnywhere MFT software poses a significant threat to organizations using the solution. With a large percentage of assets still at significantly heightened risk of compromise due to the lack of fixed versions, organizations need to take immediate action to mitigate the risk and safeguard their data.