Proof-of-concept exploit details are available for a newly disclosed critical vulnerability in Fortra GoAnywhere Managed File Transfer (MFT), a product historically targeted by ransomware
On January 22, Fortra (formerly HelpSystems) published a security advisory (FI-2024-001) for a critical vulnerability in GoAnywhere, its managed file transfer (MFT) software.
CVE | Description | CVSSv3 |
---|---|---|
CVE-2024-0204 | Fortra GoAnywhere MFT Authentication Bypass Vulnerability | 9.8 |
According to the advisory, it was discovered on December 1, 2023. Its discovery is credited to security researchers Mohammed Eldeeb and Islam R Alater. A patch for this vulnerability was released on December 7, though the advisory was not made public until January 22.
we @IslamRalsaid1 got some zero-days vulnerabilities in "goanywhere" product, patch your instance ASAP#0day #bugbounty pic.twitter.com/pazqDpYKmZ
— mohammed eldeeb (@malcolmx0x) December 5, 2023
CVE-2024-0204 is an authentication bypass vulnerability in Fortra’s GoAnywhere MFT software. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable GoAnywhere MFT instance. Successful exploitation would allow an attacker to bypass authentication to create new users, including a user with administrator privileges.
Based on Tenable’s telemetry as of January 23, 96.4% of GoAnywhere MFT assets are using an affected version, while 3.6% are using a fixed version.
*The figures presented in this chart are representative of a data snapshot on January 23, 2024.
Despite being released on November 15, only 1.6% of assets in Tenable’s telemetry are using GoAnywhere 7.4.0.
Historical targeting of GoAnywhere MFT and Clop’s penchant to target MFTs
In late January 2023, CVE-2023-0669, a zero-day command injection vulnerability in GoAnywhere MFT was exploited by the Cl0p ransomware group to steal data from organizations, which were used for extortion. The group claims they stole data from “over 130 organizations” using the flaw.
The Cl0p ransomware group has consistently targeted file transfer solutions as part of their ransomware campaigns over the last three years including several flaws in Accellion’s File Transfer Appliance (FTA) in late 2020/early 2021, CVE-2023-0669 in Fortra’s GoAnywhere MFT in January 2023 and CVE-2023-34362 in Progress Software’s MOVEit Secure MFT in May 2023.
The attacks by Cl0p gained attention from The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) who issued a joint cybersecurity advisory for CVE-2023-34362 (AA23-158A) in June as part of their #StopRansowmare campaign.While researchers were credited with discovering CVE-2024-0204, it is not out of the realm of possibility that Cl0p or another ransomware group may adopt this flaw in conducting attacks against vulnerable organizations. We strongly encourage affected customers to apply the available patch as soon as possible.
Public proof-of-concept exploit available for CVE-2024-0204
On January 23, researchers at Horizon3.ai published a blog post analyzing CVE-2024-0204. The blog post also includes a proof-of-concept (PoC) for the vulnerability.
Ease of exploitation of CVE-2024-0204 is considered relatively easy. On Mastodon, security researcher Kevin Beaumont says the flaw is “incredibly easy to exploit” adding that it is a “1998 style” path traversal flaw.
With the availability of a PoC, we anticipate exploit scanning to begin soon, followed by in-the-wild exploitation of this flaw.
Horizon3.ai researchers published a working proof-of-concept exploit to GitHub on January 23 that exploits CVE-2024-0204 to create an administrative user.
The following are the affected and fixed versions of GoAnywhere MFT:
Affected Version | Fixed Version |
---|---|
7.4.0 and below | 7.4.1 |
6.0.1 and above | Upgrade to 7.4.1 |
Fortra released version 7.4.1 of GoAnywhere MFT on December 7 according to its release notes. In the release notes, Fortra references fixing a “authentication bypass issue” that could allow “invalid access to create new users.” While Fortra has yet to include a reference to CVE-2024-0204 in its release notes as of January 23, they confirm this is the fixed version for this CVE in its security advisory.
If applying the patches are not feasible, Fortra provides two mitigation options for affected customers:
Deployment Type | Mitigation |
---|---|
Non-container Deployment | Delete “InitialAccountSetup.xhtml” from installation directory and restart services |
Container Deployment | Replace “InitialAccountSetup.xhtml” from installation directory with an empty file and restart services |
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-0204 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.
Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.
Formerly Tenable.io
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.
Formerly Tenable.io
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose Your Subscription Option:
Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.
Formerly Tenable.io
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.
Formerly Tenable.io
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose Your Subscription Option:
Thank you for your interest in Tenable.io. A representative will be in touch soon.
Formerly Tenable.io
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.
Formerly Tenable.io
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose Your Subscription Option:
Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.
Formerly Tenable.io Web Application Scanning
Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.
Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.
Formerly Tenable.io Web Application Scanning
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.
Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.
Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.
Thank you for your interest in Tenable Lumin. A representative will be in touch soon.
Formerly Tenable.sc
Please fill out this form with your contact information.
A sales representative will contact you shortly to schedule a demo.
* Field is required
Formerly Tenable.ot
Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.
Formerly Tenable.ad
Continuously detect and respond to Active Directory attacks. No agents. No privileges.
On-prem and in the cloud.
Exceptional unified cloud security awaits you!
We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.
Exposure management for the modern attack surface.
Formerly Tenable.asm
Know the exposure of every asset on any platform.
Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.
FREE FOR 7 DAYS
Tenable Nessus is the most comprehensive vulnerability scanner on the market today.
Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.
Fill out the form below to continue with a Nessus Pro Trial.
Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.
Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.
FREE FOR 7 DAYS
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Tenable solutions help fulfill all SLCGP requirements. Connect with a Tenable representative to learn more.