CVE-2024-0204 in GoAnywhere MFT is a Ticking Time Bomb

High contrast image of a time bomb on a wooden background

Image source: Shutterstock

More than 96% of GoAnywhere MFT assets that security vendor Tenable observed on Jan 23 were vulnerable.

Mass attacks could soon begin against a critical authentication bypass flaw in Fortra’s GoAnywhere Managed File Transfer (MFT) technology following the release of a proof-of-concept exploit for it this week.

Fortra informed customers privately about the vulnerability (CVE-2024-0204) on Dec 7, 2023, and issued a patch for it at the same time. The flaw allows an unauthenticated attacker to circumvent authentication checks and create admin and other accounts on vulnerable instances of the file transfer technology. Fortra disclosed the flaw publicly on Jan 23, meaning customers had some seven weeks to upgrade to fixed versions of the software.

Significant Attack Risk

Those that haven’t done so yet are at significant risk of attack given how popular a target file transfer technologies are in general among attackers, and more specifically, given the availability of public exploit code. Ease of exploitation is another factor. Fortra has assessed CVE-2024-0204 as being exploitable over the network, involving low attack complexity, and requiring no user authentication or interaction. As security researcher Kevin Beaumont noted in a Mastodon post. the “GoAnywhere MFT vulnerability is incredibly easy to exploit. Another path traversal, 1998 style. Expect extortion.”

According to Tenable, as of Jan 23, more than 96% of GoAnywhere MFT assets on the Internet appear to be running a vulnerable version of the software. That gives attacker a lot of targets to go after.

Quick take

  • Attackers can exploit CVE-2024-0204 to establish new admin accounts on vulnerable instances of GoAnywhere MFT.
  • According to “The easiest indicator of compromise that can be analyzed is for any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section.”
  • Proof-of-concept code for the flaw is publicly available meaning attacks are likely imminent.
  • Researchers consider the flaw as trivially easy to exploit.
  • In 2023, Cl0p ransomware actors breached 130 organizations via a GoAnywhere MFT flaw (CVE-2023-0669)

CVE-2024-0204 (CVSS score 9.8) is present in Fortra GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.x before 7.4.1.

Fortra has addressed the vulnerability in versions 7.4.1 and higher and wants organizations using the technology to upgrade to the new versions. “The vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services,” Fortra said in its advisory. ” For container-deployed instances, replace the file with an empty file and restart.”

Researchers at released a PoC exploit for CVE-2024-0204 soon after Fortra disclosed the vulnerability. The code demonstrates how an attacker can exploit the bug to create an admin account on a vulnerable instance of GoAnywhere MFT. According to security researcher Kevin Beaumont,

Delaying is a Mistake

Organizations, that for any reason, want to delay upgrading or applying Fortra’s recommended measures might want to take another look at CVE-2023-0669, a critical remote code injection bug that Fortra disclosed in GoAnywhere MFT roughly around the same time last year. The Cl0p ransomware gang exploited that bug as a zero-day—reportedly for months—before Fortra discovered and issued a fix for it. Some 130 organizations including Proctor & Gamble, Community Health Systems, cybersecurity vendor Rubrik and Hitachi Systems ended up with Cl0p on their systems via the flaw.

The same thing could happen with CVE-2024-0204.

“We would expect the vulnerability to be targeted quickly if it has not come under attack already, particularly since the fix has been available to reverse engineer for more than a month,” Rapid7’s chief of vulnerability research Caitlin Condon said in a Jan 23 blog. “Rapid7 strongly advises GoAnywhere MFT customers to take emergency action,” Condon wrote, while also urging customers to ensure the software’s administrative portals are not exposed to the public Internet.