Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/
Emergent threats evolve quickly. As we learn more about this vulnerability, we will update this blog post with relevant information about technical findings, product coverage, and other information that can assist you with assessment and mitigation.
On Thursday, February 2, 2023, security reporter Brian Krebs published a warning on Mastodon about an actively exploited zero-day vulnerability affecting on-premise instances of Fortra’s GoAnywhere MFT managed file transfer solution. Fortra (formerly HelpSystems) evidently published an advisory on February 1 behind authentication; there is no publicly accessible advisory.
According to the advisory, which Krebs quoted directly in his Mastodon post, the vulnerability is a remote code injection flaw that requires administrative console access for successful exploitation. Fortra said that the Web Client interface itself is not exploitable. While administrative consoles and management interfaces should ideally never be exposed to the internet, security researcher Kevin Beaumont noted in a reply to Krebs’s post on Mastodon that there appears to be a fair number of systems (1,000+) exposing administrative ports to the public internet.
The Fortra advisory Krebs quoted advises GoAnywhere MFT customers to review all administrative users and monitor for unrecognized usernames, especially those created by system. The logical deduction is that Fortra is likely seeing follow-on attacker behavior that includes the creation of new administrative or other users to take over or maintain persistence on vulnerable target systems.
Note that, while this is not mentioned explicitly in the pasted Fortra advisory text, it is also possible that threat actors may be able to obtain administrative access by targeting reused, weak, or default credentials.
Mitigation guidance
While Fortra has published a mitigation, there is no mention of a patch. GoAnywhere MFT customers can log into the customer portal to access direct communications from Fortra.
The following mitigation information has been taken from Krebs’s repost of the Fortra advisory on Mastodon, but has not been verified by our research team:
On the file system where GoAnywhere MFT is installed, edit the file [install_dir]/adminroot/WEB_INF/web.xml.
Find and remove (delete or comment out) the following servlet and servlet-mapping configuration in the screenshot below.
Before:
<servlet>
<servlet-name>License Response Servlet</servlet-name>
<servlet-class>com.linoma.ga.ui.admin.servlet.LicenseResponseServlet</servlet-class>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Licenses Response Servlet</servlet-name>
<url-pattern>/lic/accept/</url-pattern>
After:
<!--
Add these tags to comment out the following section (as shown) or simply delete this section if you are not familiar with XML comments:
<servlet>
<servlet-name>License Response Servlet</servlet-name>
<servlet-class>com.linoma.ga.ui.admin.servlet.LicenseResponseServlet</servlet-class>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Licenses Response Servlet</servlet-name>
<url-pattern>/lic/accept/</url-pattern>
</servlet-mapping>
-->
Restart the GoAnywhere MFT application. If GoAnywhere MFT is clustered, this change needs to happen on every instance node in the cluster.
Rapid7 customers
The February 3, 2023 content-only release of InsightVM and Nexpose will add support for customers to use the following query to identify potentially affected GoAnywhere MFT instances in their environments:
asset.software.product = 'Managed File Transfer'.
Vulnerability checks may follow if the vendor releases one or more official fixed versions of the application.