Executive Summary:

• A proof of concept (PoC) was just released for a critical authentication bypass vulnerability in Fortra GoAnywhere MFT (CVE-2024-0204)
• Censys currently observes nearly 170 hosts (including some only accessible via vhost/SNI) with exposed GoAnywhere admin interfaces. Although it’s unclear how many of these are vulnerable, the combination of the sensitive nature of data typically stored in MFT tools and the simplicity of this exploit, raises concerns. Failure to patch these exposed servers will likely lead to compromise
• Upgrade your GoAnywhere MFT instances to version 7.4.1 or follow the workarounds in Fortra’s customer advisory ASAP
• It’s good practice to avoid exposing admin interfaces of any kind to the public internet

Another day, another MFT exploit.

Over the past year, Managed File Transfer (MFT) applications have experienced a notable surge in attacks, a trend we’ve reported on multiple occasions. These tools are appealing targets for multiple reasons: they frequently house sensitive data, and they’re typically designed to function over web-accessible interfaces. While the latter enhances user accessibility, it also often creates additional initial access points, especially since admin interfaces are often misconfigured to allow access from the public internet.

Fortra’s GoAnywhere MFT is one such tool that garnered significant attention last year for CVE-2023-0669, a zero-day that saw widespread exploitation from the Cl0p ransomware gang.

GoAnywhere is back in the news again after a PoC dropped yesterday for a new vulnerability: CVE-2024-0204, a critical authentication bypass bug that allows unauthenticated users to create admin accounts through the administrative console.

The PoC demonstrates how easy this exploit is. A malicious actor can leverage a path traversal bug to redirect to the vulnerable /InitialAccountSetup.xhtml endpoint, revealing GoAnywhere’s initial account setup screen. Note that this vulnerability impacts the admin console, not the web client interface.

While Fortra patched the issue in GoAnywhere 7.4.1 in December, a public security advisory was only released a few days ago, showing a step forward in transparency after a trend of disclosures hidden behind customer login walls.

Censys Findings:

As of Wednesday January 24, Censys sees slightly fewer than 170 hosts exposing GoAnywhere MFT administrative interfaces on the public internet. Although this isn’t the most extensive level of exposure we’ve encountered, it does raise concerns given the nature of the data stored in these instances. The relatively small number of hosts belies the potential damage that could occur with just one compromise. Given how easy these are to find and the straightforwardness of the exploit, we expect any exposed unpatched instances will likely be compromised.

A vulnerable GoAnywhere MFT administrator interface exposed to the internet

The majority of these admin interfaces are running on the default port settings – 8000 and 8001. Note that there can be more than one service per host.

We see a notable presence of these interfaces in the United States and Europe.

Over 60% of these interfaces are hosted in Amazon, Microsoft, or Google Cloud networks.

We expect to see a rise in scanning and compromise of exposed unpatched GoAnywhere MFT instances. Patching immediately is crucial.

It looks like GoAnywhere vulnerabilities are, in fact, going nowhere for the time being.

What Can be Done?

• Update your GoAnywhere instances to version 7.4.1 or a later release to address this vulnerability. Per Fortra’s vendor advisory, if patching is not possible there are manual steps you can take for non-container & container-deployed instances:
• “The vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, replace the file with an empty file and restart.”
• To check for IoCs, inspect the Admin Users group in your admin portal for any newly added administrators and review the last login activity to get an estimate for time of compromise. Keep in mind that the threat actor may have successfully compromised the system and deleted these traces before detection.
• Use this Censys Search query to check your network for exposed administrative interfaces.
• Censys Exposure Management customers can use the following query for their workspaces:  host.services: (http.request.uri:"/goanywhere" AND NOT http.request.uri:"/webclient/Login.xhtml")
• You can evaluate exposures of the most common managed file transfer tools using this Censys Search query: labels:managed-file-transfer

References:

• https://www.fortra.com/security/advisory/fi-2024-001
• https://nvd.nist.gov/vuln/detail/CVE-2024-0204
• https://www.bleepingcomputer.com/news/security/exploit-released-for-fortra-goanywhere-mft-auth-bypass-bug/
• https://www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/