7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
On February 1st, 2023, Forta released an advisory behind an auth wall notifying their customers of a remote code execution zero-day exploit affecting their GoAnywhere Managed File Transfer (MFT) application.
This was picked up by Brian Krebs, an investigative journalist who published this on his Mastodon account, on February 2nd, 2023.
On February 7th, 2023, Forta released GoAnywhere MFT version 7.1.2 to fix this vulnerability. The CVE assigned to this zero-day vulnerability is CVE-2023-0669.
GoAnywhere MFT is a secure managed file transfer solution that provides smooth data sharing between systems, employees, clients, and business partners. It helps process information from files into XML, EDI, CSV, and JSON databases and offers centralized control with a wide range of security settings and complete audit trails. Deployable on-premises, cloud, and hybrid environments, GoAnywhere MFT, encrypts data following industry standard protocols; for example, HTPPS, OpenPGP, and STFP.
CVE-2023-0669 is a remote code execution vulnerability caused due to improper sanitization of serialized data. In order to exploit this vulnerability, the attacker needs to have access to the administrative console. This administrative control is typically accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS). However, Shodan shows many of such instances are exposed to the internet. The Web Client interface, which is usually accessible from the public internet, is not vulnerable to this security flaw.
Qualys released the following QID in the table below to address this vulnerability
QID | Title | VulnSigs Version |
---|---|---|
730720 | GoAnywhere Managed File Transfer (MFT) Remote Code Execution (RCE) Vulnerability | VULNSIGS-2.5. 695-2 |
The following workaround can be applied by users who are unable to upgrade to patched versions.
Before:
Image source: GoAnywhere security advisory
After:
Image source: GoAnywhere security advisory
Based on multiple threat intelligence sources, adversaries exploiting this vulnerability use Truebot-styled persistence via Scheduled Tasks to achieve coded execution via Rundll32. Qualys Multi-Vector EDR customers keep a lookout for events like the following graphic:
Additional QQL tokens for identifying malicious activity related to this attack:
Events tagged with these IOCs can be seen as follows: