Questions are being asked about the time it took Fortra to issue a public advisory regarding a recently discovered critical vulnerability in its GoAnywhere MFT (managed file transfer) secure file sharing solution.
The bug, tracked as CVE-2024-0204, has a CVSSv3 score of 9.8 and could allow a hacker to create a new admin user remotely through the software’s administration portal.
It surfaced 12 months after the Clop ransomware gang began exploited a GoAnywhere MFT zero-day vulnerability to compromise more than 130 organizations.
While Fortra privately told customers about the latest vulnerability last month, it didn’t published an advisory until Jan. 22, more than six weeks after releasing its latest update, GoAnywhere MFT 7.4.1, that patched the bug.
“Fortra evidently addressed this vulnerability in a December 7, 2023 release of GoAnywhere MFT, but it would appear they did not issue an advisory until now,” Rapid7’s director of vulnerability intelligence, Caitlin Condon, noted in a Jan.23 blog post.
Making a public advisory about a newly discovered vulnerability as soon as possible enables details of the bug to be spread more effectively throughout the security community and allows security teams and system administrators to better prioritize their patching schedules for maximum effectiveness.
According to a post on the same day by Horizon3.ai’s Zach Hanley, GoAnywhere MFT customers were advised of the issue via an internal security advisory post, and a patch was made available, on Dec. 4.
While Fortra said it had no reports of the bug being actively exploited in the wild, Condon noted: “we would expect the vulnerability to be targeted quickly if it has not come under attack already, particularly since the fix has been available to reverse engineer for more than a month”.
Certainly, researchers have been paying the vulnerability close attention, suggesting threat groups likely not far behind.
Hanley’s post provided a technical analysis of the vulnerability and Horizon3.ai also published a proof of concept for the exploit on GitHub.
“In 2023, file transfer applications were a top target by threat actors,” Hanley noted.
As well as the damage it inflicted exploiting the previous GoAnywhere MFT bug, Clop also wreaked havoc last year with its massive MOVEit Transfer supply chain attack.
The new Fortra vulnerability affects all versions of GoAnywhere MFT from 6.0.0 to 7.4.0.
GoAnywhere MFT customers who have not already updated to the latest, fixed version should do so on an emergency basis, without waiting for a regular patch cycle to occur, Condon said.
“Organizations should also ensure that administrative portals are not exposed to the public internet.”
In its advisory, Fortra said the vulnerability could also be eliminated in non-container deployments of the software by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services.
In container-deployed instances, customers could replace the file with an empty file and restart.
