Navigating the Storm:the GoAnywhere MFT CVE-2024–0204 Vulnerability
by @alchemist
Screenshots from the blog posts
Summary
The release of a Proof-of-Concept (PoC) exploit code for a critical vulnerability (CVE-2024–0204) in Fortra’s GoAnywhere MFT solution has heightened concerns within the cybersecurity community. The public availability of this exploit raises fears that malicious actors might swiftly leverage it to compromise systems.
Description
Introduction:
Greetings fellow cybersecurity enthusiasts! Today, I find myself compelled to share a pressing concern that has recently surfaced in the cybersecurity landscape — a critical authentication bypass vulnerability in Fortra’s GoAnywhere MFT, marked as CVE-2024–0204. Allow me to take you through the intricacies of this newfound threat and its potential implications.
Discovery and Severity:
On this journey, we discuss a disclosure by Fortra regarding a severe security risk embedded in GoAnywhere MFT, a widely-used Managed File Transfer tool. The vulnerability, CVE-2024–0204, holds a staggering CVSS score of 9.8, underscoring its critical nature. What makes it even more alarming is the potential for remote unauthorized attackers to create admin-level users, opening the door to a myriad of malicious actions
Timeline of Events:
Discovered on December 1, 2023, Fortra acted swiftly and released version 7.4.1 of GoAnywhere MFT on December 7 to address the vulnerability. While private advisories reached customers promptly after the detection, a public security advisory with limited information was issued recently, urging organizations to stay vigilant.
Potential Successor to CVE-2023–0669:
This vulnerability sparks memories of its predecessor, CVE-2023–0669, which served as a gateway for ransomware attacks by the infamous Cl0p Ransomware group. Exploitation of CVE-2023–0669 granted malicious actors Remote Code Execution (RCE) capabilities, contributing to a 91% increase in ransomware attacks within a single month. Could CVE-2024–0204 follow in its footsteps?
Risk Mitigation and Alternatives:
Fortra urges users to upgrade to version 7.4.1 or higher to safeguard against potential exploitation. The advisory also provides alternative manual methods for those who cannot immediately patch. For non-container deployments, deleting the InitialAccountSetup.xhtml file and restarting services is recommended, while container users are advised to replace the file with an empty counterpart.
Public Proof-of-Concept (PoC) Exploit:
The plot thickens as researchers unveil a technical analysis and a Proof-of-Concept (PoC) exploit on GitHub (). This exploit, leveraging a path traversal issue, grants unauthorized access to the /InitialAccountSetup.xhtml endpoint, enabling the creation of new admin users. The potential risk is underscored by the availability of this PoC, urging heightened vigilance.
Conclusion:
As we navigate the turbulent waters of CVE-2024–0204, the cybersecurity community must stand united. Fortra has provided the lifeboat — upgrading to version 7.4.1 — but we must ensure all ships are secure. The echoes of CVE-2023–0669 linger, serving as a stark reminder that our adversaries are persistent. Let us remain vigilant, adapt to the evolving threat landscape, and safeguard our digital realms.
Stay secure, stay informed, and let us face this storm together.
