A newly identified vulnerability within the GoAnywhere Managed File Transfer software, owned by Fortra, raises significant security concerns. This flaw, known as CVE-2024-0204, carries a critical severity rating of 9.8 and enables unauthorized individuals to generate admin users through the platform’s administration panel.
Security Measures and Vulnerability Details
In response, Fortra has issued a security advisory which states that versions 6.x starting from 6.0.1 up to 7.x prior to 7.4.1 of the GoAnywhere MFT are impacted. The company categorizes the issue as an authentication bypass vulnerability and provides guidance for remediation.
Further scrutiny reveals that a particular endpoint, /InitialAccountSetup.xhtml, is associated with the vulnerability. After initial admin account setup, this endpoint should become inaccessible, redirecting users to other authenticated areas of the application.
Investigation and Proof-of-Concept
Researchers have actively recreated the exploit and shared a proof-of-concept on GitHub. The vulnerability lies within the application’s security filter mechanisms, which fail to properly restrict access to the initial account setup endpoint under certain conditions.
Two specific points in the code allow for the security bypass, with one redirecting users to the setup page and the other to the dashboard, depending on whether an admin user exists and the requested path.
Exploitation Tactics and Indicators
Exploitation involves the use of path traversal techniques, which allow attackers to reach the setup page and subsequently create a new admin user. A comprehensive report by Horizon3 delves into the source code and exploitation process.
To detect possible breaches, administrators should monitor for newly created admin users and review database logs for unusual activities. These steps are crucial in identifying and mitigating the risks posed by this critical vulnerability.
