The Hacker NewsTHN:D134B024F71379159101B91D6E8FE45FPatch Your GoAnywhere MFT Immediately - Critical Flaw Lets Anyone Be Admin
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.968 High
EPSS
Percentile
99.6%
A critical security flaw has been disclosed in Fortraβs GoAnywhere Managed File Transfer (MFT) software that could be abused to create a new administrator user.
Tracked as CVE-2024-0204, the issue carries a CVSS score of 9.8 out of 10.
βAuthentication bypass in Fortraβs GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal,β Fortra said in an advisory released on January 22, 2024.
Users who cannot upgrade to version 7.4.1 can apply temporary workarounds in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services.
For container-deployed instances, itβs recommended to replace the file with an empty file and restart.
Mohammed Eldeeb and Islam Elrfai of Cairo-based Spark Engineering Consultants have been credited with discovering and reporting the flaw in December 2023.
Cybersecurity firm Horizon3.ai, which published a proof-of-concept (PoC) exploit for CVE-2024-0204, said the issue is the result of a path traversal weakness in the β/InitialAccountSetup.xhtmlβ endpoint that could be exploited to create administrative users.
βThe easiest indicator of compromise that can be analyzed is for any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section,β Horizon3.ai security researcher Zach Hanley said.
βIf the attacker has left this user here you may be able to observe its last logon activity here to gauge an approximate date of compromise.β
Data shared by Tenable shows that 96.4% of GoAnywhere MFT assets are using an affected version, while 3.6% are running a fixed version as of January 23, 2024, meaning a large number of the instances are at heightened risk of compromise.
While there is no evidence of active exploitation of CVE-2024-0204 in the wild, another flaw in the same product (CVE-2023-0669, CVSS score: 7.2) was abused by the Cl0p ransomware group to breach nearly 130 victims last year.
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.968 High
EPSS
Percentile
99.6%