CVE-2024-0204
📋 TL;DR
This vulnerability allows an unauthenticated attacker to bypass authentication in Fortra's GoAnywhere MFT and create an administrative user via the administration portal. This affects all GoAnywhere MFT installations prior to version 7.4.1. The attacker gains full administrative control over the MFT system.
💻 Affected Systems
- Fortra GoAnywhere MFT
📦 What is this software?
Goanywhere Managed File Transfer by Fortra
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the MFT system leading to data exfiltration, ransomware deployment, lateral movement to connected systems, and persistent backdoor access.
Likely Case
Unauthorized administrative access leading to data theft, manipulation of file transfers, and potential credential harvesting from the MFT system.
If Mitigated
Limited impact if system is isolated with strict network controls, but administrative access still compromised.
🎯 Exploit Status
Public exploit code available on Packet Storm. Exploitation requires network access to administration portal.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.4.1
Vendor Advisory: https://www.fortra.com/security/advisory/fi-2024-001
Restart Required: Yes
Instructions:
1. Download GoAnywhere MFT 7.4.1 from Fortra support portal. 2. Backup current installation. 3. Stop GoAnywhere services. 4. Apply the update. 5. Restart services. 6. Verify version is 7.4.1.
🔧 Temporary Workarounds
Network Isolation
allRestrict access to GoAnywhere administration portal to trusted IP addresses only.
Disable Administration Portal
allTemporarily disable the administration portal interface if not required.
🧯 If You Can't Patch
- Immediately restrict network access to GoAnywhere administration portal using firewall rules
- Implement additional authentication layer (VPN, reverse proxy with MFA) in front of administration portal
🔍 How to Verify
Check if Vulnerable:
Check GoAnywhere version via administration portal or system logs. If version is below 7.4.1, system is vulnerable.Check Version:
Check version in GoAnywhere administration portal under Help > About or examine installation directory version files.Verify Fix Applied:
Verify version shows 7.4.1 in administration portal and attempt to reproduce exploit steps (create admin user without auth) fails.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access to administration portal endpoints
- Unexpected admin user creation events
- Authentication bypass attempts in access logs
Network Indicators:
- Unusual traffic to /goanywhere/admin endpoints from unauthorized sources
- POST requests to user creation endpoints without prior authentication
SIEM Query:
source="goanywhere" AND (uri_path="/goanywhere/admin/*" AND http_status=200) AND NOT (src_ip IN [trusted_ips])🔗 References
- http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html
- http://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html
- https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml
- https://www.fortra.com/security/advisory/fi-2024-001
- http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html
- http://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html
- https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml
- https://www.fortra.com/security/advisory/fi-2024-001
