Barely 12 months since a zero-day in the Fortra GoAnywhere managed file transfer (MFT) tool resulted in a surge in cyber attacks and global infamy for the Clop (aka Cl0p) ransomware gang, users of the popular service are being advised to steel themselves against a newly uncovered, critical flaw in the product.
Credited to security researchers Mohammed Eldeeb and Islam Elrfai of Egypt-based Spark Engineering Consultants, CVE-2024-0204 is a remotely exploitable authentication bypass flaw in Fortra GoAnywhere MFT that exists in versions prior to 7.4.1.
Left untreated, it could allow an unauthorised user to create an admin user via the administration portal – something that would prove of great value to a ransomware gang looking to achieve persistence in a victim environment.
According to Fortra, users can mitigate the issue by upgrading to version 7.4.1 of GoAnywhere or higher. Additionally, users can mitigate the vulnerability’s impact in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory, and then restarting the service. For instances deployed in containers, this file should be replaced with an empty one, then the service can be restarted.
Delayed disclosure raises questions
Almost immediately after Fortra published details of the issue, questions began to be raised about an apparent six week delay in the public disclosure process. Caitlin Condon, Rapid7 director of vulnerability research and intelligence, was among those to spot the discrepancy.
“Fortra evidently addressed this vulnerability in a December 7, 2023 release of GoAnywhere MFT, but it would appear they did not issue an advisory until now. According to a screenshot from Mohammed Eldeeb, the researcher who discovered the vulnerability, private communications went out to GoAnywhere MFT customers circa December 4,” she wrote in a blog post.
Condon added: “In February 2023, a zero-day vulnerability (CVE-2023-0669) in GoAnywhere MFT was exploited in a large-scale extortion campaign conducted by the Cl0p ransomware group. It’s unclear from Fortra’s initial advisory whether CVE-2024-0204 has been exploited in the wild, but we would expect the vulnerability to be targeted quickly if it has not come under attack already, particularly since the fix has been available to reverse engineer for more than a month. Rapid7 strongly advises GoAnywhere MFT customers to take emergency action.”
Additionally, Horizon3.ai red-teamer and chief attack engineer Zach Hanley has now published details of a proof-of-concept exploit against CVE-2024-0204, detailing how it arises from a path traversal weakness in Fortra GoAnywhere, which he was able to take advantage of it to create additional users.
The existence of a proof-of-concept exploit heightens the potential danger for Fortra GoAnywhere users who have not yet updated and whose instances are public-facing. It is unknown at the time of writing how many vulnerable instances may exist.
Hanley also outlined potential indicators of compromise (IoCs) for security teams to look out for. The most immediately obvious of these will be the potential addition of unknown new accounts in the Admin Users group in the GoAnywhere admin portal, but investigators may also wish to inspect logs found at the following location – GoAnywhereuserdatadatabasegoanywherelog*.log – for possible changes.