CVE-2023-2989 – This vulnerability in Fortra Globalscape EFT ad... (How to Fix)

Q: What is the severity of CVE-2023-2989?

CVE-2023-2989 has a CVSS score of 9.1 (CRITICAL). This vulnerability in Fortra Globalscape EFT administration server allows attackers to read memory outside allocated bounds, potentially causing service crashes or bypassing authentication. It affects all EFT versions before 8.1.0.16, putting organizations using this managed file transfer solution at risk.

📋 TL;DR

This vulnerability in Fortra Globalscape EFT administration server allows attackers to read memory outside allocated bounds, potentially causing service crashes or bypassing authentication. It affects all EFT versions before 8.1.0.16, putting organizations using this managed file transfer solution at risk.

💻 Affected Systems

Products:

Fortra Globalscape EFT (Enhanced File Transfer)

Versions: All versions before 8.1.0.16

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the administration server component specifically. All deployments with vulnerable versions are affected regardless of configuration.

📦 What is this software?

Eft Server by Globalscape

View all CVEs affecting Eft Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass leading to unauthorized administrative access, data exfiltration, and potential full system compromise.

🟠

Likely Case

Service disruption through denial of service (crash) or limited authentication bypass allowing partial unauthorized access.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH - Internet-facing administration servers are directly exposed to exploitation attempts.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

The vulnerability requires network access to the administration server port (typically 1100). While no public PoC exists, the high CVSS score and authentication bypass potential make weaponization likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.1.0.16 or later

Vendor Advisory: https://kb.globalscape.com/Knowledgebase/11586/Is-EFT-susceptible-to-the-Authentication-Bypass-via-Outofbounds-Memory-Read-vulnerability

Restart Required: Yes

Instructions:

1. Download EFT version 8.1.0.16 or later from Fortra support portal. 2. Backup current configuration and data. 3. Run the installer to upgrade. 4. Restart the EFT service. 5. Verify the new version is running.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to EFT administration server port (default 1100) to trusted management networks only.

# Windows firewall: netsh advfirewall firewall add rule name="Block EFT Admin" dir=in action=block protocol=TCP localport=1100 remoteip=any
# Linux iptables: iptables -A INPUT -p tcp --dport 1100 -j DROP

Disable Administration Server

all

Temporarily disable the administration server if not actively needed for management.

# Windows: sc stop "Globalscape EFT Server"
# Linux: systemctl stop eft-server

🧯 If You Can't Patch

Implement strict network access controls to limit administration server access to specific IP addresses only.
Monitor administration server logs for unusual authentication attempts or connection patterns.

🔍 How to Verify

Check if Vulnerable:

Check EFT version in administration console under Help > About or run: eftadmin --version

Check Version:

eftadmin --version

Verify Fix Applied:

Verify version is 8.1.0.16 or higher using the same methods, then test authentication functionality.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful authentication from same source
Administration server crash/restart events
Unusual connection patterns to port 1100

Network Indicators:

Traffic to administration server port (1100) from unexpected sources
Multiple rapid connection attempts to admin port

SIEM Query:

source="eft.log" AND ("authentication failure" OR "server restart" OR "connection from") | stats count by src_ip dest_port

📊 Metadata

CVE ID: CVE-2023-2989

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-125

Published: June 22, 2023

Last Updated: November 21, 2024

🔗 References

https://kb.globalscape.com/Knowledgebase/11586/Is-EFT-susceptible-to-the-Authentication-Bypass-via-Outofbounds-Memory-Read-vulnerability Vendor Advisory
https://www.rapid7.com/blog/post/2023/06/22/multiple-vulnerabilities-in-fortra-globalscape-eft-administration-server-fixed/ Exploit,Third Party Advisory
https://kb.globalscape.com/Knowledgebase/11586/Is-EFT-susceptible-to-the-Authentication-Bypass-via-Outofbounds-Memory-Read-vulnerability Vendor Advisory
https://www.rapid7.com/blog/post/2023/06/22/multiple-vulnerabilities-in-fortra-globalscape-eft-administration-server-fixed/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2989, you might also want to check these: