If you’re using a version of Fortra’s GoAnywhere MFT that’s lower than 7.4.1, you’ll likely be shocked to know that with some hacking knowledge, anyone can create an account on your administrator portal.
With a CVSS score of 9.8, critical-rated CVE-2024-0204 is an authentication bypass vulnerability that allows any unauthenticated user to gain admin access to the application. Luckily for its users, this scary flaw already has a patch! Check out the last section of this blog for solutions.
Technical Details
Horizon3.ai researchers have released a Proof of Concept for the vulnerability, detailing an exploitation technique.
Upon installation, the application first tries to go to /Dashboard.xhtml, but redirects to /auth/Login.xhtml because the user is not yet authenticated. The com.linoma.dpa.security.SecurityFilter class handles this redirection by checking the requested endpoints and routing the user to the right ones based on their access permissions.
Within this class, the redirection to the initial account setup is done by checking the pre-existing admin users and path names. If there is an existing admin user, and the path is /wizard/InitialAccountSetup.xhtml, then the user is routed to /Dashboard.xhtml.
Researchers decided to check if the path was properly normalized, and it turned out it wasn’t! Despite lacking an existing admin user, submitting a path like https://192.168.1.1:8001/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml redirected them to the setup page instead of throwing an error. After resubmitting the account setup form once more with that path traversal, they were able to see that a new admin user had been created.
Products Affected
The only product affected is Fortra GoAnywhere MFT, and the versions affected include:
-
- Fortra GoAnywhere MFT 6.x from 6.0.1
-
- Fortra GoAnywhere MFT 7.x before 7.4.1
Impact
Fortra privately warned its users of the vulnerability in early December. But as of January 23, 2024, 96.4% of GoAnywhere MFT assets are using an affected version. That means most current users are at high risk of compromise despite the patch being rolled out over a month ago!
Solutions to CVE-2024-0204
If you want to check whether your software has been compromised, check the Users -> Admin Users section in the administrator portal. Look for any user you didn’t create. If such user(s) exist, their last activity timestamp should tell you when your application was jeopardized.
According to the vendor advisory, “the vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. For additional information, see https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml (registration required).”
If you’re facing difficulties with patching the product, you have two manual mitigation options:
1. Delete the InitialAccountSetup.xhtml file from the installation directory and restart the service.
2. Replace the InitialAccountSetup.xhtml file with an empty file, then restart the service.
You should try to patch your application regardless, though! Fixes can be installed using SanerNow. SanerNow Vulnerability Management, Risk Prioritization, and Patch Management detect and automatically fix vulnerabilities with risk-based remediation. With SanerNow, you can keep your systems updated and secure.