January 24, 2024 at 10:07AM
Security experts have rapidly published working exploits for a critical vulnerability in Fortra GoAnywhere MFT, exposing a serious authentication bypass issue initially disclosed by Fortra in December. Researchers from Horizon3 developed an exploit targeting a vulnerable endpoint, exposing the system to unauthorized admin user creation. Fortra advises upgrading to version 7.4.1 or implementing mitigations to prevent exploitation.
From the meeting notes, I have compiled the following key takeaways:
1. Security experts have rapidly developed working exploits for a critical vulnerability in Fortra GoAnywhere MFT. The vulnerability, tracked as CVE-2024-0204, has a severity rating of 9.8 and is remotely exploitable.
2. Researchers from Horizon3 used clues from Fortra’s public advisory to create a working exploit that allows unauthenticated attackers to create new admin user accounts.
3. The exploit targets the vulnerable InitialAccountSetup.xhtml endpoint and takes advantage of path traversal weaknesses in Tomcat-based applications, allowing attackers to access forbidden pages and create admin accounts.
4. Fortra has advised customers to upgrade to at least version 7.4.1 of GoAnywhere MFT to mitigate the vulnerability and to apply patches immediately. For temporary mitigation, non-container deployments should delete the InitialAccountSetup.xhtml file, and container-deployed instances should replace the file with an empty one.
5. Potential indicators of compromise include new additions to the Admin Users group in the GoAnywhere MFT admin portal, as well as traces of any new admin accounts in database logs.
6. Although there have been no detected exploit attempts at the time of the meeting, the availability of proof of concept code suggests that exploit attempts are likely to increase in the near future.
7. The significance of the vulnerability is heightened by the wide usage of GoAnywhere MFT in critical data transfer scenarios, such as in government entities and critical infrastructure organizations, making successful exploits potentially damaging.
8. This incident marks a recurrence of a past security disaster suffered by Fortra in relation to GoAnywhere MFT, highlighting the seriousness of the situation.
These takeaways provide a clear summary of the current situation and the necessary actions to be taken in response to the security vulnerability and emerging exploits.