WARNING: CRITICAL AUTHENTICATION BYPASS VULNERABILITY IN FORTRA GOANYWHERE MFT, PATCH IMMEDIATELY!
CVE-2024-0204
CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
https://www.fortra.com/security/advisory/fi-2024-001
Risques
CVE-2024-0204 is a critical authentication bypass vulnerability affecting the GoAnywhere secure managed file transfer (MFT) product prior to version 7.4.1. An unauthenticated attacker could remotely exploit this vulnerability to create an admin user via the administration portal.
Successful exploitation of this vulnerability highly affects the availability, confidentiality, and integrity.
There is no available information yet about the vulnerability being exploited in the wild by threat actors, but a PoC was recently released which could increase the risk of exploitation.
Description
According to Fortra, the root cause of the CVE-2024-0204 authentication bypass vulnerability is listed as forced browsing (CWE-425) which is a weakness that occurs when a web application does not adequately enforce authorization on restricted URLs, scripts, or files.
The vulnerability was addressed in a December 7, 2023 release of GoAnywhere MFT, and a customer advisory was also released.
The public advisory was published on January 22, 2024.
The affected version are:
- Fortra GoAnywhere MFT 6.x from 6.0.1
- Fortra GoAnywhere MFT 7.x before 7.4.1
Actions recommandées
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
GoAnywhere MFT customers should update to a fixed version (7.4.1 or higher) on an emergency basis. Organizations should also ensure that administrative portals are not exposed to the public internet.
The vulnerability can also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, the vulnerability can be eliminated by replacing the file with an empty file and restarting the services.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.