A severe authentication bypass security flaw riddled the GoAnywhere MFT that could allow creating rogue admin accounts. While the developers patched the vulnerability already, researchers could still develop a working exploit for it, urging users to update to the latest versions.
Fortra Patched The GoAnywhere MFT Authentication Bypass Flaw
According to a recent advisory, Fortra released a security update to GoAnywhere MFT, addressing a critical security flaw. As described, the vulnerability could let an attacker create admin accounts without authentication.
The advisory didn’t explain much detail about the vulnerability (CVE-2024-0204 (CVSS 9.8)). Yet, it did state that the issue affects the Fortra GoAnywhere MFT 6.x from 6.0.1, and Fortra GoAnywhere MFT 7.x before 7.4.1. Consequently, the firm patched the vulnerability with the GoAnywhere MFT version 7.4.1, urging users to update to this release.
Alongside releasing the patch, Fortra also suggested mitigations for the vulnerability. Specifically, they recommended deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services for non-container deployments. Whereas, for container deployments, users may simply replace the file with an empty file and restart the services.
Exploit Developed For The GoAnywhere Auth Bypass
Shortly after Fortra’s advisory, security researchers from the Horizon3.ai could still develop a PoC for it.
Briefly, the researchers leveraged the known path traversal issue with Tomcat-based apps that allows access to restricted pages. This issue arises when the request includes /..;/. Hence, they exploited this vulnerability, sending the request https://192.168.1.1:8001/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml to the vulnerable InitialAccountSetup.xhtml endpoint, gaining access to the setup page. Next, submitting the account creation form including the path traversal let them create the new admin account.
The researchers have shared their detailed analysis in their post, sharing the PoC exploit on GitHub. For the users, the researchers advise scanning the existing Admin accounts on the GoAnywhere administrator portal to detect potential rogue accounts. Finding such accounts could also help the users determine the timeline of the breach. Besides, users may also look for any new account entries in the database logs at \GoAnywhere\userdata\database\goanywhere\log\*.log.
Let us know your thoughts in the comments.