Researchers have warned users about a serious zero-day vulnerability in the GoAnywhere MFT software. Exploiting the vulnerability allows an attacker to breach the tool’s servers and execute codes on exposed admin consoles. Following active exploitation of the flaw, the vendors released emergency patch 7.1.2 for the bug, urging users to update immediately.
GoAnywhere MFT Zero-Day Vulnerability
Recently, the GoAnywhere team issued an alert for the users, disclosing a serious security vulnerability.
GoAnywhere is a standalone managed file transfer (MFT) software that facilitates businesses in sharing data with other users. The recipients may include the firms’ systems, employees, customers, or trading partners.
The news about the vulnerability surfaced online when GoAnywhere published a security advisory on its platform. However, it gained traction when the security reporter Brian Krebs highlighted the matter on Mastodon.
For clarity, Krebs copied and pasted GoAnywhere’s advisory in his message thread, which he could access after creating an account there.
Specifically, GoAnywhere disclosed a zero-day flaw that allowed an adversary with access to the administrative consoles to execute codes.
The advisory elaborated that such access was possible via a VPN, whitelisted Ips, or private company networks. An admin console exposed to the public internet remained highly vulnerable to the exploit. Nonetheless, the usually accessible Web Client interface remained unaffected by this issue.
While that doesn’t sound as dangerous, what GoAnywhere’s advisory didn’t highlight was the extent of internet-facing admin consoles. According to the researcher Kevin Beaumont’s response on Krebs’ thread, a Shodan search made him find a considerably high number of exposed admin consoles with the non-HTTPS Port 8000 instead of port 8001 (HTTPS).
Recommended Mitigations And Emergency Fix
At the time of bug disclosure, no permanent patch was available for this zero-day RCE. Hence, the vendors shared some mitigation steps in their advisory.
Specifically, they asked the customers with vulnerable or exposed admin interfaces to review the admin user accounts for unauthorized access and apply the recommended configuration (explained in the advisory). Customers can also contact GoAnywhere’s support team for assistance in this regard.
Nonetheless, a few days after the vulnerability disclosure and active exploitation reports, the vendors released an emergency fix. As explained in their recent advisory, they have rolled out the patch with GoAnywhere MFT version 7.1.2, urging users to update immediately.
Let us know your thoughts in the comments.