Rapid 7 - Exploitation of GoAnywhere MFT zero-day vulnerability

Exploitation of GoAnywhere MFT zero-day vulnerability

Emergent threats evolve quickly. As we learn more about this vulnerability, we will update this blog post with relevant information about technical findings, product coverage, and other information that can assist you with assessment and mitigation.

On Thursday, February 2, 2023, security reporter Brian Krebs published a warning on Mastodon about an actively exploited zero-day vulnerability affecting on-premise instances of Fortra’s GoAnywhere MFT managed file transfer solution. Fortra (formerly HelpSystems) evidently published an advisory on February 1 behind authentication; there is no publicly accessible advisory.

Exploitation of GoAnywhere MFT zero-day vulnerability

According to the advisory, which Krebs quoted directly in his Mastodon post, the vulnerability is a remote code injection flaw that requires administrative console access for successful exploitation. Fortra said that the Web Client interface itself is not exploitable. While administrative consoles and management interfaces should ideally never be exposed to the internet, security researcher Kevin Beaumont noted in a reply to Krebs’s post on Mastodon that there appears to be a fair number of systems (1,000+) exposing administrative ports to the public internet.

The Fortra advisory Krebs quoted advises GoAnywhere MFT customers to review all administrative users and monitor for unrecognized usernames, especially those created by system. The logical deduction is that Fortra is likely seeing follow-on attacker behavior that includes the creation of new administrative or other users to take over or maintain persistence on vulnerable target systems.

Note that, while this is not mentioned explicitly in the pasted Fortra advisory text, it is also possible that threat actors may be able to obtain administrative access by targeting reused, weak, or default credentials.

Mitigation guidance

While Fortra has published a mitigation, there is no mention of a patch. GoAnywhere MFT customers can log into the customer portal to access direct communications from Fortra.

The following mitigation information has been taken from Krebs’s repost of the Fortra advisory on Mastodon, but has not been verified by our research team:

On the file system where GoAnywhere MFT is installed, edit the file [install_dir]/adminroot/WEB_INF/web.xml.

Find and remove (delete or comment out) the following servlet and servlet-mapping configuration in the screenshot below.

Before:

<servlet>
     <servlet-name>License Response Servlet</servlet-name>
     <servlet-class>com.linoma.ga.ui.admin.servlet.LicenseResponseServlet</servlet-class>
     <load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
     <servlet-name>Licenses Response Servlet</servlet-name>
     <url-pattern>/lic/accept/</url-pattern>

After:

<!--

Add these tags to comment out the following section (as shown) or simply delete this section if you are not familiar with XML comments:

<servlet>
     <servlet-name>License Response Servlet</servlet-name>
     <servlet-class>com.linoma.ga.ui.admin.servlet.LicenseResponseServlet</servlet-class>
     <load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
     <servlet-name>Licenses Response Servlet</servlet-name>
     <url-pattern>/lic/accept/</url-pattern>
</servlet-mapping>
 -->

Restart the GoAnywhere MFT application. If GoAnywhere MFT is clustered, this change needs to happen on every instance node in the cluster.

Rapid7 customers

The February 3, 2023 content-only release of InsightVM and Nexpose will add support for customers to use the following query to identify potentially affected GoAnywhere MFT instances in their environments:
asset.software.product = 'Managed File Transfer'.

Vulnerability checks may follow if the vendor releases one or more official fixed versions of the application.



from Rapid7 Blog https://blog.rapid7.com/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/

Comments

Popular posts from this blog

Krebs - NY Charges First American Financial for Massive Data Leak

KnowBe4 - Scam Of The Week: "When Users Add Their Names to a Wall of Shame"