A critical vulnerability, CVE-2024-0204, impacting Fortra’s GoAnywhere Managed File Transfer (MFT) software, was disclosed on January 22, 2024. This flaw allows unauthorized users to create administrative accounts, posing a serious threat to the application’s security. This blog delves into the technical aspects of this authentication bypass and explores the potential risks associated with it.
Here’s everything you need to know about CVE-2024-0204:
What is CVE-2024-0204?
CVE-2024-0204 is a remotely exploitable flaw that arises from a path traversal weakness in the /InitialAccountSetup.xhtml endpoint. This vulnerability enables an attacker to create administrative users, potentially leading to a complete takeover of the device. The flaw impacts Fortra GoAnywhere MFT 6.x (from 6.0.1) and Fortra GoAnywhere MFT 7.4.0 and earlier versions. Fortra addressed this issue in the release of GoAnywhere MFT version 7.4.1 on December 7, 2023.
Creating arbitrary accounts with administrative privileges can lead to a complete device takeover. In the case of Go Anywhere MFT, that would allow attackers to access sensitive data, introduce malware, and potentially enable further attacks within the network.
Does CVE-2024-0204 affect me?
The flaw impacts Fortra GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.4.0 and earlier and was fixed in GoAnywhere MFT 7.4.1. Fortra took swift action, releasing a patch on December 7, 2023, although the official advisory only surfaced on January 22, 2024. Users are urgently advised to update to GoAnywhere MFT version 7.4.1 or newer. Mitigation steps involve deleting the “InitialAccountSetup.xhtml” file in non-container deployments, coupled with a restart. Container-deployed instances should replace the file with an empty one and restart services.
Has CVE-2024-0204 been actively exploited in the wild?
As of the latest information available, Fortra asserts that there have been no reports of active exploitation in the wild. The vulnerability was promptly patched in December 2023. However, given the disclosure of mitigations and details, there is a possibility that proof-of-concept exploits may surface soon. Cyber security firm Horizon3.ai, has published a proof-of-concept (PoC) exploit for CVE-2024-0204.
How to fix CVE-2024-0204
Fortra advises all users to install the latest update (currently 7.4.1) to fix the vulnerability. In-depth scrutiny of the SecurityFilter class uncovers explicit checks tied to the /InitialAccountSetup.xhtml endpoint. Close inspection reveals manipulable areas in the code, allowing path traversal techniques to bypass checks and regain access to the setup page. The exploitation entails submitting a form with a meticulously crafted request containing path traversal elements.
Fortra advises all users to update to the latest version, GoAnywhere MFT 7.4.1, to address CVE-2024-0204. Users who cannot immediately upgrade are provided with two manual mitigation pathways:
- Delete the InitialAccountSetup.xhtml file in the installation directory and restart services.
- Replace the InitialAccountSetup.xhtml file with an empty file and restart services.
Next steps
Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: