Critical Authentication Bypass Discovered in Fortra GoAnywhere MFT - Exploit Released

A critical Authentication Bypass vulnerability has been uncovered in Fortra's popular GoAnywhere Managed File Transfer (MFT) software that could allow remote attackers to bypass authentication and gain administrative access.

Disclosed on January 22nd, 2024, the vulnerability tracked as CVE-2024-0204 is considered highly severe with a CVSS score of 9.8 out of 10. First uncovered by researchers malcolm0x and Islam Elrfai, the issue allows unauthenticated threat actors to create admin users by exploiting a path traversal vulnerability in the /InitialAccountSetup.xhtml endpoint.

By manipulating the request to inject directory traversal sequences like /..;/, attackers could bypass authentication checks and access the new admin account creation page. This subsequently enabled creating a new admin account with full privileges without requiring any credentials.

The vulnerability arose from insufficient input validation on the /InitialAccountSetup.xhtml endpoint that's used in the initial setup wizard after installing GoAnywhere. The software did not properly sanitize the user-supplied input, enabling the path traversal attack vector.

Fortra has credited the researchers malcolm0x and Islam Elrfai with discovering and responsibly disclosing the vulnerability. The company issued an internal security advisory post and released patches in December 2023 that added additional checks in the vulnerable InitialAccountSetupForm class to prevent unauthenticated access.

Fortra has strongly urged customers to apply the latest updates as soon as possible to mitigate the vulnerability. The vendor has also provided workarounds, like removing the vulnerable /InitialAccountSetup.xhtml file from the install directory, that can temporarily reduce exposure until patching.

Upgrade to version 7.4.1 or higher. The vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart. For additional information, see https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml (registration required). - Mitigation notes read.

Fortra GoAnywhere MFT is an enterprise-level managed file transfer solution used by organizations to secure, automate, and audit file transfers. The software allows transferring large volumes of data between servers, employees, partners, and customers through a centralized interface with role-based access control.

GoAnywhere provides extensive encryption, protocols, and integration capabilities for exchanging sensitive files. It can connect to almost any system ranging from SFTP and FTP servers to cloud platforms and databases. The centralized dashboard enables configuring workflows, alerts, reports and more.

This severe vulnerability highlights the risks of insufficient input validation in web applications, especially those related to authentication and authorization. Attackers are continuously probing for such flaws that enable bypassing login screens and escalating privileges.

The ease of exploitation combined with widespread usage makes this a very dangerous vulnerability that is likely to see active exploitation in the wild. Researchers from Horizon3.ai have released a POC exploit for the vulnerability on GitHub.

Enterprises using GoAnywhere are advised to immediately audit their logs for any suspicious admin account creation activity. New user accounts not tied to employee profiles or expected business workflows could indicate previous compromise. Analysts also recommend checking database transaction logs for the GoAnywhere system around the timeline of December 2023 when patches were released.

In 2023, file transfer applications were a top target by threat actors including MOVEit. It was revealed that the Clop ransomware gang had breached 130 companies and organizations by exploiting a critical remote code execution flaw tracked as CVE-2023-0669 in GoAnywhere MFT.