Fortra GoAnywhere MFT Flaw Grants Admin Access to Anyone
'/..;/' Strikes AgainA security vulnerability in Fortra's GoAnywhere managed file transfer software can allow unauthorized users to create a new admin user.
See Also: Netskope PCI DSS 4.0 Mapping Guide
The flaw, tracked as CVE-2024-0204, is a remotely exploitable authentication bypass flaw in Fortra's GoAnywhere MFT.
Fortra users can mitigate the issue by upgrading to versions 7.4.1 or higher. Users can also reduce the vulnerability's impact by removing the InitialAccountSetup.xhtml
file from the installation directory and restarting the service.
The company posted an internal security advisory on Dec. 4, 2023, according to screenshots shared on social media by the researchers credited with discovering and reporting the flaw.
GoAnywhere MFT gained mainstream recognition after Russian-speaking digital extortion group Clop last March exploited a zero-day in the widely used managed file transfer software to breach a slew of blue chip organizations including Rio Tinto, Hitachi Energy, Procter & Gamble and Munich RE (see: Clop GoAnywhere Attacks Have Now Hit 130 Organizations).
That hack was the start of a run of file transfer software hacking that included a mass data exfiltration event spearheaded by Clop against vulnerable Progress Software's MOVEit secure file transfer software (see: Hackers Hit Secure File Transfer Software Again and Again).
File transfer software proved a lucrative target for ransomware hackers given how organizations often didn't monitor them for malicious traffic while also exposing administrative interfaces to the open internet, said Horizon3.ai Chief Attack Engineer Zach Hanley, who published a proof-of-concept exploit for the flaw.
The exploit takes advantage of a configuration error common in the Apache Tomcat runtime environment for Java, Hanley said. A quirk of Tomcat, he said, is that hackers can force path traversal attacks by inserting the special characters /..;/
into a URL.
"It's really that same issue, over and over again, where a developer has used the Tomcat framework and they were unaware of this issue," Hanley told Information Security Media Group. Application security testing firm Acunetix said the flaw occurs when developers combine Tomcat with a reverse proxy. Tomcat on its own will normalize a path by deleting ;
, but a reverse proxy will send the malicious URL as is, allowing path traversal.
The attacker uses the special characters to force GoAnywhere into calling the initial account set-up wizard, bypassing a filter meant to stop the wizard from activating after the initial setup.
In an ideal world, Hanley said, developers would reject URLs containing the special characters from executing in Tomcat environments, but it's possible that Tomcat developers don't have control of inspecting the URLs. "They could be using one framework to route requests to their Tomcat application, and they might not have built an application just on Tomcat in the data flow where they can inspect the traffic," he said.
"It's complicated," he added. "It's really, really complicated."