Other official information and services: www.belgium.be

WARNING: FORTRA RELEASED AN EMERGENCY PATCH TO ADDRESS AN ACTIVELY EXPLOITED ZERO-DAY VULNERABILITY IN FORTRA GOANYWHERE MANAGED FILE TRANSFER, PATCH IMMEDIATELY!

Référence:

Advisory #2023-16

Version:

1.0

Logiciels concernés :

Fortra GoAnyWhere Managed File Transfer versions < 7.1.2

Type:

Remote code execution (RCE)

CVE/CVSS:

CVE-2023-0669 CVSS3.1: N/A

Date:

10/02/2023

Sources

https://nvd.nist.gov/vuln/detail/CVE-2023-0669

Risques

On the 7th of February, Fortra released an emergency patch (7.1.2) for an actively exploited zero-day vulnerability (CVE-2023-0669) found in the GoAnywhere MFT secure web file transfer solution that allows businesses to manage and exchange files in a secure and compliant way.

CVE-2023-0669 is actively exploited and Proof of Concept code is available.

A successful attack has a high impact on all vertices of the CIA triad impacting Confidentiality, Integrity, and availability.

To successfully exploit CVE-2023-0669, access to the attack vector of this exploit requires access to the administrative console of the application.

A malicious actor could use the managed file transfer software from a victim to infect other victims by sending malicious files. A successful intrusion could lead to a serious supply chain attack.

The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity.

If your organization has already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident.

Description

The vulnerability allows an attacker to perform unauthenticated remote code execution during instances when the administrator console is made accessible on the public internet.

Affected products: Fortra GoAnywhere MFT secure web file transfer solution

A PoC exploit code for the vulnerability was released on the 6th of February.

Actions recommandées

Apply the emergency patch 7.1.2 as soon as possible
Ensure that the administrative console is accessible only from:
- Within a private company network
- VPN
- Allow-listed IP addresses (cloud environments)
Turn off the licensing service, by removing or commenting out the License Response Servlet’s servlet-mapping setting from the web.xml file.
Review all administrative users and monitor for unrecognized usernames, especially those created by the system user.

If an organisation suspects an intrusion or compromise, the following steps are strongly recommended!

Rotate the master encryption key.
Reset credentials for all users.
Review audit logs and delete suspicious admin or user accounts.
Contact Fortra support:
- FORTRA portal (login required)
- Mail: [email protected]
- Phone: 402-944-4242.

Références

https://www.bleepingcomputer.com/news/security/exploit-released-for-actively-exploited-goanywhere-mft-zero-day/
https://my.goanywhere.com/webclient (login required)