Fortra has released an emergency patch to address an actively exploited zero-day vulnerability in the GoAnywhere MFT secure file transfer tool.
The vulnerability allows attackers to gain remote code execution on vulnerable GoAnywhere MFT instances whose administrative console is exposed online.
The company has disclosed (this advisory can only be accessed with a free account) over the weekend that the flaw is being exploited in attacks and has provided indicators of compromise for potentially affected customers, including a specific stack trace that would show up in the logs on compromised systems.
“If this stacktrace is in the logs, it is very likely this system has been the target of attack,” Fortra said.
Now, it has added an update to its customer dashboard tagged as “time sensitive” and urging customers to patch their instances “as soon as possible.”
“This patch (7.1.2) was created as a result of the issue we disclosed in the Security Advisories published last week related to GoAnywhere MFTaaS. We urgently advise all GoAnywhere MFT customers to apply this patch,” Fortra says.
“We urgently advise all GoAnywhere MFT customers to apply this patch. Once downloaded, we recommend working with your administrators to get the patch applied as soon as possible to ensure full remediation of the identified issue.
“Particularly for customers running an admin portal exposed to the Internet, we consider this an urgent matter.”
You can download the security patch from the “Product Downloads” tab at the top of the GoAnywhere account page after logging in.
On Monday, security researcher Florian Hauser of IT security consulting firm Code White also released a proof-of-concept exploit that could be used to achieve unauthenticated remote code execution on Internet-exposed and unpatched GoAnywhere MFT servers.
Dozens of instances exposed online, mitigation also available
In a Saturday update to its advisory, Fortra explained that “the attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS).”
However, a Shodan scan reveals that close to 1,000 GoAnywhere instances are exposed on the Internet. Despite this, only just over 140 are reachable on ports 8000 and 8001, the default ones used by the vulnerable admin console.
If you cannot immediately apply the GoAnywere MFT emergency security patch, you can follow the company’s mitigation advice that requires implementing access controls to allow access to the admin interface only from trusted sources or disabling the licensing service.
To disable the built-in and vulnerable licensing server, admins have to either comment out or delete the servlet and servlet-mapping configs for the License Response Servlet in the web.xml file, which would disable the vulnerable endpoint.
After making the changes and saving the modified web.xml file, a restart is also required to apply the new configuration.
“Due to the fact that data in your environment could have been accessed or exported, you should determine whether you have stored credentials for other systems in the environment and make sure those credentials have been revoked,” Fortra added.
“This includes passwords and keys used to access any external systems with which GoAnywhere is integrated.
“Ensure that all credentials have been revoked from those external systems and review relevant access logs related to those systems. This also includes passwords and keys used to encrypt files within the system.”