A serious security vulnerability has recently come to light in Fortra’s GoAnywhere Managed File Transfer (MFT) software, exposing users to the risk of unauthorized administrator access. Designated as CVE-2024-0204, this flaw has been assigned a high CVSS score of 9.8 out of 10.
In a statement released on January 22, 2024, Fortra revealed that an authentication bypass in GoAnywhere MFT, prior to version 7.4.1, enables an unauthorized user to create an admin account through the administration portal.
For users unable to upgrade to version 7.4.1 immediately, there are temporary workarounds available for non-container deployments. One such workaround involves the deletion of the “InitialAccountSetup.xhtml” file in the installation directory, followed by a restart of the services. In the case of container-deployed instances, it is advisable to replace the file with an empty version and restart the system.
The discovery of this critical flaw is credited to Mohammed Eldeeb and Islam Elrfai, cybersecurity experts from Spark Engineering Consultants in Cairo, who reported the issue in December 2023.
Cybersecurity firm Horizon3.ai has also weighed in on the matter, providing a proof-of-concept (PoC) exploit for CVE-2024-0204. According to Horizon3.ai security researcher Zach Hanley, the vulnerability stems from a path traversal weakness in the “/InitialAccountSetup.xhtml” endpoint, which malicious actors could exploit to create administrative user accounts.
Hanley suggests monitoring the Admin Users group in the GoAnywhere administrator portal’s Users -> Admin Users section as an indicator of compromise. Any new additions to this group could signify a potential security breach. Additionally, examining the last logon activity of any suspicious users in this section may provide insights into the approximate date of compromise.
While there is currently no evidence of active exploitation of CVE-2024-0204 in the wild, it’s essential to remain vigilant. Notably, a previous vulnerability in the same product (CVE-2023-0669, CVSS score: 7.2) was exploited by the Cl0p ransomware group last year, compromising nearly 130 victims.
In light of these developments, users are strongly urged to patch their GoAnywhere MFT software to version 7.4.1 promptly. Failing to do so could leave systems exposed to potential unauthorized access and compromise sensitive data. Stay proactive in implementing the recommended workarounds for those unable to upgrade immediately, and monitor administrative user groups for any suspicious activity.
Remember, a swift response to security vulnerabilities is crucial in safeguarding your digital infrastructure against potential threats.
Interesting Article : Unmasking the MacOS “Activator” Malware: A Stealthy Threat to Crypto Wallets
Pingback: Google Kubernetes Engine Vulnerability (Sys:All)