Researchers have analyzed the CVE-2024-0204 vulnerability in Fortra GoAnywhere MFT software program (MFT standing for managed file switch) and revealed exploit code that takes benefit of it. We clarify the hazard, and what organizations that use this software program ought to do about it.
Vulnerability CVE-2024-0204 in GoAnywhere MFT
Let’s begin by briefly recounting the story of this vulnerability in GoAnywhere. In truth, Fortra, the corporate creating this resolution, patched this vulnerability again in early December 2023 with the discharge of GoAnywhere MFT 7.4.1. Nevertheless, at the moment the corporate selected to not disclose any details about the vulnerability, limiting itself to sending personal suggestions to purchasers.
The essence of the vulnerability is as follows. After a consumer completes preliminary setup of GoAnywhere, the product’s inner logic blocks entry to the preliminary account setup web page. Then once they try to entry this web page, they’re redirected both to the admin panel (in the event that they’re authenticated as an administrator) or to the authentication web page.
Nevertheless, researchers found that an alternate path to the InitialAccountSetup.xhtml file can be utilized, which the redirection logic doesn’t consider. On this state of affairs, GoAnywhere MFT permits anybody to entry this web page and create a brand new consumer account with administrator privileges.
As proof of the assault’s feasibility, the researchers wrote and revealed a brief script that may create admin accounts in susceptible variations of GoAnywhere MFT. All an attacker wants is to specify a brand new account identify, a password (the one requirement is that it accommodates a minimum of eight characters, which is fascinating in itself), and the trail:
A part of the exploit code for the CVE-2024-0204 vulnerability. Highlighted in pink is the choice path to the preliminary account setup web page that permits the creation of customers with administrator privileges
On the whole, this vulnerability intently resembles that found in Atlassian Confluence Information Heart and Confluence Server a number of months in the past; there, too, it was doable to create admin accounts in a number of easy steps.
Fortra assigned vulnerability CVE-2024-0204 “important” standing, with a CVSS 3.1 rating of 9.8 out of 10.
A bit context is important right here. In 2023, the Clop ransomware group already exploited vulnerabilities in Fortra GoAnywhere MFT and likewise comparable merchandise from different builders — Progress MOVEit, Accellion FTA, and SolarWinds Serv-U — to assault tons of of organizations worldwide. Particularly, corporations similar to Procter & Gamble, Neighborhood Well being Methods (CHS, one of many largest hospital networks in the united statesA.), and the municipality of Toronto suffered from the exploitation of the GoAnywhere MFT vulnerability.
How you can defend in opposition to CVE-2024-0204 exploitation
The plain approach to shield in opposition to exploitation of this vulnerability is to replace GoAnywhere MFT to model 7.4.1 instantly, which fixes the logic for denying entry to the InitialAccountSetup.xhtml web page.
Should you can’t set up the replace for some cause, you may attempt one in every of two easy workarounds:
- Delete the InitialAccountSetup.xhtml file within the set up folder and restart the service;
or
- Exchange InitialAccountSetup.xhtml with a clean file and restart the service.
You must also use an EDR (Endpoint Detection and Response) resolution to observe suspicious exercise within the company community. In case your inner cybersecurity staff lacks the abilities or assets for this, you should use an exterior service to constantly hunt for threats to your group and swiftly reply to them.
