CVE-2024-0204, a critical authentication bypass vulnerability in Fortra's GoAnywhere Managed File Transfer (MFT) software, allows unauthorized users to create admin users and bypass authentication requirements. GoAnywhere MFT was previously targeted in cyberattacks by the Cl0p ransomware group with the zero-day vulnerability CVE-2023-0669.
Fortra released a security advisory for CVE-2024-0204 in January 2024 following their December 2023 patch release. Any use of Fortra GoAnywhere MFT versions predating 7.4.1 are affected by the vulnerability.
What is CVE-2024-0204?
Fortra has referred to the cybersecurity vulnerability as an authentication bypass in the GoAnywhere MFT solution, noting that the exploit presents the weakness CWE-425 Direct Request. GoAnywhere MFT offers a remote file transfer solution with benefits like automation and improved data security. Used across a wide range of industries, GoAnywhere supports multiple compliance standards and file transfer protocols.
A direct request weakness means that the tool does not enforce the required authorization for restricted access. With the GoAnywhere MFT vulnerability, unauthenticated attackers can create a new administrative user with all the associated admin permissions for path traversal, read and write permissions, and command execution.
CVE-2024-0204 follows last year's CVE-2023-0669 (CVSS score of 7.2), which also impacted the GoAnywhere MFT as a pre-authentication command injection vulnerability. CVE-2023-0669 necessitated an emergency patch to protect against code injection leading to remote code execution. The code injection vulnerability was exploited by the Clop ransomware group in January 2023, resulting in data breaches for 130 companies using GoAnywhere MFT. For further information on CVE-2023-0669, see Fortra's summary of their investigation.
The bypass authentication vulnerability has been labeled CVE-2024-0204 in the National Vulnerability Database. Fortra set a critical CVSS score of 9.8 (out of 10), which indicates the severity of the flaw according to the Common Vulnerability Scoring System. Fortra GoAnywhere MFT 7.4.0 and earlier are impacted.
In their January 22, 2024 security advisory, Fortra acknowledges the initial discovery on December 1, 2023 by Mohammed Eldeeb and Islam Elrfai from Spark Engineering Consultants. A swift patch release followed, with an updated version of the software available on December 7, 2023. Fortra has stated that they have not received reports of active exploitation by threat actors following the patch, though security researchers at Horizon3.ai published a proof-of-concept exploit (PoC exploit) on GitHub.
How to verify potential indicators of compromise
Though GoAnywhere's documentation is gated to current customers, installation guides for previous versions of the software indicate that the default administration ports include [.rt-script]8000[.rt-script] for HTTP connections and [.rt-script]8001[.rt-script] for secure HTTPS requests. The web-based administration portal for GoAnywhere MFT means that an authentication bypass could be exploited should the console be accessible over the public internet.
In most circumstances, the administrative console is limited to a private network, through VPN access, or by allowed IP addresses. However, because this solution offers managed file transfer and companies may use this service for highly sensitive data, unauthorized access to the administrative settings has the potential to cause business-critical issues.
If your GoAnywhere administrative panel is accessible from the public internet and you have not upgraded to the patched version, you should immediately upgrade the service and evaluate potential indicators of compromise (IOCs).
Potential IOCs for CVE-2024-0204:
- Access your administrator account creation endpoint from outside your perimeter (outside your internal network, off VPN, or from an unauthorized IP address). If you can create a new administrative user without user authentication, your service could be compromised.
- Review the
[.rt-script]Admin Users[.rt-script]group in the administrative console. Unauthorized new additions signal an attacker may have compromised your service. - Review your logs at
[.rt-script]\GoAnywhere\userdata\database\goanywhere\log\*.log[.rt-script]for any entries that indicate new user creation. Be sure to review the logs even if yourAdmin Usersgroup does not have new users as an attacker may have removed the unauthorized user after they gained access to the system.
How to protect against CVE-2024-0204
If you have not yet upgraded to version 7.4.1 or higher, do so immediately. Fortra's version update includes a remedy for this vulnerability. Fortra customers can access the customer advisory in the customer portal ([.rt-script]https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml[.rt-script]), which provides the mitigation details for the critical vulnerability.
Fortra's public advisory includes two additional workarounds for eliminating the vulnerability:
- For non-container deployment, delete the
[.rt-script]InitialAccountSetup.xhtml[.rt-script]file in the install directory and restart the services. - For container-based deployment, replace the
[.rt-script]InitialAccountSetup.xhtml[.rt-script]file with an empty file and restart the services.
In addition to mitigating the vulnerability, you should review your logs for the aforementioned indicators of compromise. If you identify unexpected activities, take immediate action in accordance with your incident response plan and communicate directly with Fortra regarding the issue.
Continuous monitoring of your external attack surface can help you take proactive measures against any potential known and unknown vulnerabilities, including the GoAnywhere CVE-2024-0204. UpGuard maintains a vulnerability library for customers using BreachSight and Vendor Risk for risk management and vulnerability management. We are currently monitoring the situation for more information as we add the GoAnywhere bypass authentication vulnerability to UpGuard's vulnerability library.
