Sources

https://www.fortra.com/security/advisory/fi-2024-001

Risks

CVE-2024-0204 is a critical authentication bypass vulnerability affecting the GoAnywhere secure managed file transfer (MFT) product prior to version 7.4.1. An unauthenticated attacker could remotely exploit this vulnerability to create an admin user via the administration portal.

Successful exploitation of this vulnerability highly affects the availability, confidentiality, and integrity.

There is no available information yet about the vulnerability being exploited in the wild by threat actors, but a PoC was recently released which could increase the risk of exploitation.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

GoAnywhere MFT customers should update to a fixed version (7.4.1 or higher) on an emergency basis. Organizations should also ensure that administrative portals are not exposed to the public internet.

The vulnerability can also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, the vulnerability can be eliminated by replacing the file with an empty file and restarting the services.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-0204