Popular file transfer software has a seriously dangerous security bug that gives anyone free administrator rights — so patch it now to avoid another Moveit-like debacle
A bug allows threat actors to create a new admin account
GoAnywhere Managed File Transfer (MFT), the program at the center of a major data reach scandal around a year ago, may have a new high-severity vulnerability which users should patch immediately to avoid more trouble.
Cybersecurity researchers Mohammed Eldeeb and Islam Elrfai from Spark Engineering Consultants discovered the flaw in December 2023, and disclosed it to GoAnywhere’s developer, Fortra.
It is described as a path traversal weakness, and tracked as CVE-2024-0204. It has a severity score of 9.8/10, making it critical.
A workaround is available, too
As explained by the researchers, as well as cybersecurity firm Horizon3.ai, which subsequently published a proof-of-concept (PoC) exploit, the vulnerability can be used to create a new administrator user for the tool:
"Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal," a new Fortra advisory reads.
"The easiest indicator of compromise that can be analyzed is for any new additions to the Admin Users group in the GoAnywhere administrator portal Users -> Admin Users section," Horizon3.ai security researcher Zach Hanley said. "If the attacker has left this user here you may be able to observe its last logon activity here to gauge an approximate date of compromise."
Those who are unable to apply the patch at this time can apply a temporary workaround in non-container deployment - delete the InitialAccountSetup.xhtml file in the install directory and then restart the device. For container-deployed instances, Fortra recommends replacing the file with an empty one before restarting.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
There is currently no evidence of the vulnerability being exploited in the wild, but with the news broken, and a PoC available, it’s only a matter of time before unpatched endpoints get targeted. Users should apply the patch immediately and avoid risking the integrity of their data.
Last year, a vulnerability in GoAnywhere resulted in sensitive data from almost 130 organizations being stolen.
Via TheHackerNews
More from TechRadar Pro
- Second ransomware group reported exploiting GoAnywhere security flaw
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.