In early 2021 a successful attack by hackers on Accellion, a file transfer service provider, resulted in significant repercussions downstream: Energy supermajor Shell, global law firm Goodwin Procter, and investment bank Morgan Stanley were among the blue chips that saw data stolen as a result. Now a critical vulnerability in Fortra’s GoAnywhere MFT (managed file transfer) application, CVE-2023-0669, is raising fears of a similar scale set of data breaches, with CISA confirming that the zero day vulnerability is being actively exploited in the wild.
(Security researchers have reported the bug as being exploited for over a week. CISA added it to its “known exploited” catalogue on February 11 alongside two other vulnerabilities CVE-2015-2291 and CVE-2022-24990.)
Fortra is hiding its advisory behind a login page: The “attack vector of this exploit requires public internet access to the administrative console of the application. Due to the nature of the attack, it is critical to note that every managed credential within your GoAnywhere environment should be considered potentially compromised” it says of the GoAnywhere MFT vulnerability CVE-2023-0669 in its advisory (The Stack’s italics).
“This includes passwords and keys used to access any external systems with which GoAnywhere is integrated. Ensure that all credentials have been revoked from those external systems and review relevant access logs related to those systems. This also includes passwords and keys used to encrypt files within the system.”
The product is a file transfer service that can be deployed on-premises in enterprise networks; Fortra also offers a hosted SaaS product. It can be run in virtualised environments like VMware’s and installed on Windows, Linux (Red Hat, SUSE, Ubuntu), IBM i (iSeries), AIX (pSeries), UNIX, HP-UX, Solaris and Mac OS X.
Updated February 13: A ransomware group claims to have hit over 130 organisations using the vuln.
Fortra GoAnywhere MFT vulnerability CVE-2023-0669
The vulnerability stems from how it handles a software license verification request.
Exploits for the vulnerability – first flagged by Brian Krebs on February 2 – have been circulating widely.
Fortra has now pushed an emergency patch: The updated version of GoAnywhere MFT is version 7.12. For those unable to patch a temporary mitigation in the initial security advisory urged users to modify the web descriptor file [install_dir]/adminroot/WEB_INF/web.xml and delete a ervlet definition with its corresponding URL mapping: <servlet-class>com.linoma.ga.ui.admin.servlet.LicenseResponseServlet</servlet-class>
There appears to be over 1,000 admin consoles publicly exposed; albeit with only 135 on ports 8000 and 8001 (the ones used by the vulnerable admin console). Security researchers at Rapid 7 say that the GoAnywhere MFT vulnerability can also be exploited via an internal user’s browser, so those confident that they are not publicly exposed should patch promptly, regardless of whether they have properly protected their interface from the outside world; it may still be exploited by attackers with any other internal foothold.
Rapid7’s detailed post on exploitation can be read here, even if Fortra’s own advisory can’t be simply accessed. (As Rapid7 notes: “notably, hiding security advisories behind a customer portal is something we heavily discourage. It’s optimal when this type of information is public so users can stay informed...”)