Attack Surface Management , Security Operations

Fortra GoAnywhere MFT Flaw Grants Admin Access to Anyone

'/..;/' Strikes Again
Fortra GoAnywhere MFT Flaw Grants Admin Access to Anyone
More flaws in file transfer software (Image: Shutterstock)

A security vulnerability in Fortra's GoAnywhere managed file transfer software can allow unauthorized users to create a new admin user.

See Also: Attack Surface Management Automation: Missteps and Solutions

The flaw, tracked as CVE-2024-0204, is a remotely exploitable authentication bypass flaw in Fortra's GoAnywhere MFT.

Fortra users can mitigate the issue by upgrading to versions 7.4.1 or higher. Users can also reduce the vulnerability's impact by removing the InitialAccountSetup.xhtml file from the installation directory and restarting the service.

The company posted an internal security advisory on Dec. 4, 2023, according to screenshots shared on social media by the researchers credited with discovering and reporting the flaw.

GoAnywhere MFT gained mainstream recognition after Russian-speaking digital extortion group Clop last March exploited a zero-day in the widely used managed file transfer software to breach a slew of blue chip organizations including Rio Tinto, Hitachi Energy, Procter & Gamble and Munich RE (see: Clop GoAnywhere Attacks Have Now Hit 130 Organizations).

That hack was the start of a run of file transfer software hacking that included a mass data exfiltration event spearheaded by Clop against vulnerable Progress Software's MOVEit secure file transfer software (see: Hackers Hit Secure File Transfer Software Again and Again).

File transfer software proved a lucrative target for ransomware hackers given how organizations often didn't monitor them for malicious traffic while also exposing administrative interfaces to the open internet, said Chief Attack Engineer Zach Hanley, who published a proof-of-concept exploit for the flaw.

The exploit takes advantage of a configuration error common in the Apache Tomcat runtime environment for Java, Hanley said. A quirk of Tomcat, he said, is that hackers can force path traversal attacks by inserting the special characters /..;/ into a URL.

"It's really that same issue, over and over again, where a developer has used the Tomcat framework and they were unaware of this issue," Hanley told Information Security Media Group. Application security testing firm Acunetix said the flaw occurs when developers combine Tomcat with a reverse proxy. Tomcat on its own will normalize a path by deleting ;, but a reverse proxy will send the malicious URL as is, allowing path traversal.

The attacker uses the special characters to force GoAnywhere into calling the initial account set-up wizard, bypassing a filter meant to stop the wizard from activating after the initial setup.

In an ideal world, Hanley said, developers would reject URLs containing the special characters from executing in Tomcat environments, but it's possible that Tomcat developers don't have control of inspecting the URLs. "They could be using one framework to route requests to their Tomcat application, and they might not have built an application just on Tomcat in the data flow where they can inspect the traffic," he said.

"It's complicated," he added. "It's really, really complicated."

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.