GoAnywhere Managed File Transfer (MFT), the program at the center of a major data scandal about a year ago, may have a new, very serious vulnerability that users should patch immediately to prevent more problems.
Cybersecurity researchers Mohammed Eldeeb and Islam Elrfai of Spark Engineering Consultants discovered the flaw in December 2023 and disclosed it to GoAnywhere developer Fortra.
It is described as a path traversal weakness and is tracked as CVE-2024-0204. It has a severity rating of 9.8/10, making it critically important.
There is also a solution available
As explained by the researchers and by cybersecurity firm Horizon3.ai, which subsequently published a proof-of-concept (PoC) exploit, the vulnerability can be used to create a new administrator for the tool:
“Authentication bypass in Fortra’s GoAnywhere MFT before 7.4.1 allows an unauthorized user to create an administrative user through the administration portal,” according to a new Fortra advisory is reading.
“The simplest indication of a compromise to analyze is any new addition to the Admin Users group in the GoAnywhere admin portal Users -> Admin Users,” said Horizon3.ai security researcher Zach Hanley. “If the attacker left this user here, you may be able to view the last login activity here to determine an approximate date of the attack.”
Those who cannot apply the patch at this time can apply a workaround on a non-container deployment: delete the InitialAccountSetup.xhtml file in the installation folder and then restart the device. For containerized instances, Fortra recommends replacing the file with an empty file before restarting.
There is currently no evidence that the vulnerability is being exploited in the wild, but now that the news is out and a PoC is available, it is only a matter of time before unpatched endpoints are targeted. Users should apply the patch immediately and avoid compromising the integrity of their data.
Last year, a vulnerability in GoAnywhere resulted in sensitive data from nearly 130 organizations being stolen.
Through The HackerNews