Exploit Code Released For Fortra GoAnywhere MFT Flaw

Proof-of-concept exploit code has been released for a recently disclosed critical vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) software.

Fortra on Monday publicly disclosed the vulnerability in an advisory, but the patch was made available to customers earlier on Dec. 7. The flaw (CVE-2024-0204) could enable remote, unauthenticated attackers to bypass authentication in order to create new users in the application. The proof-of-concept code released on Jan. 23 by researchers at Horizon3.ai outlines how the flaw can be exploited to create users in the application with administrative privileges.

“With the availability of a PoC, we anticipate exploit scanning to begin soon, followed by in-the-wild exploitation of this flaw,” said Satnam Narang with Tenable in a Tuesday post.

At the time of public disclosure, Fortra said that CVE-2024-0204 was not exploited in the wild. The flaw, which was discovered on Dec. 1, is relatively easy to exploit: A remote attacker could send a specially crafted request to a vulnerable GoAnywhere MFT instance, according to Narang. GoAnywhere MFT versions 7.4.0 and below and 6.0.1 and above are impacted; users are encouraged to upgrade to version 7.4.1. Two mitigation options are also available for impacted customers, according to Fortra.

“Upgrade to version 7.4.1 or higher,” according to Fortra’s advisory. “The vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart.”

Secure file transfer tools are lucrative targets for threat actors due to the sensitive enterprise data that they house, and Fortra’s GoAnywhere MFT has previously been at the center of zero-day exploitation efforts, when in February 2023 a remote code injection exploit was found in GoAnywhere MFT (CVE-2023-0669) that was leveraged in Clop ransomware attacks.

“The Cl0p ransomware group has consistently targeted file transfer solutions as part of their ransomware campaigns over the last three years including several flaws in Accellion’s File Transfer Appliance (FTA) in late 2020/early 2021, CVE-2023-0669 in Fortra’s GoAnywhere MFT in January 2023 and CVE-2023-34362 in Progress Software’s MOVEit Secure MFT in May 2023,” according to Narang.

“While researchers were credited with discovering CVE-2024-0204, it is not out of the realm of possibility that Cl0p or another ransomware group may adopt this flaw in conducting attacks against vulnerable organizations. We strongly encourage affected customers to apply the available patch as soon as possible.”

Go to Source
Author: