Exploit released for RCE zero-day vulnerability in GoAnywhere MFT

Exploit code has been released for a zero-day remote code execution vulnerability affecting Internet-exposed GoAnywhere MFT administrator consoles.

GoAnywhere MFT is a web-based and managed file transfer tool designed to help organizations to transfer files securely with partners and keep audit logs of who accessed the shared files.

Its developer is Fortra (formerly known as HelpSystems), the outfit behind the widely abused threat emulation tool.

On Monday, security researcher  of IT security consulting firm Code White released technical details and that performs unauthenticated remote code execution on vulnerable GoAnywhere MFT servers.

“I could provide a working (compare hash and time of my ) to my teammates within hours on the same day to protect our clients first,” Hauser said.

​Fortra says that “the attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS).”

However, a Shodan scan shows that are exposed on the Internet, although just over 140 are on ports 8000 and 8001 (the ones used by the vulnerable admin console).

Map of vulnerable GoAnywhere MFT servers
Map of vulnerable GoAnywhere MFT servers (Shodan)

Mitigation available

The company is yet to publicly acknowledge this remote pre-authentication RCE security flaw (to read the advisory, you need to create a free account first) and hasn’t released security updates to address the vulnerability, thus leaving all exposed installations vulnerable to attacks.

However, the private advisory provides mitigation advice that includes implementing access controls to allow access to the GoAnywhere MFT administrative interface only from trusted sources or disabling the licensing service.

To disable the licensing server, admins have to comment out or delete the servlet and servlet-mapping configuration for the License Response Servlet in the web.xml file to disable the vulnerable endpoint. A restart is required to apply the new configuration.

GoAnywhere MFT License Response Servlet
Code to remove/comment out to disable GoAnywhere MFT’s licensing service

“Due to the fact that data in your environment could have been accessed or exported, you should determine whether you have stored credentials for other systems in the environment and make sure those credentials have been revoked,” Fortra added in an update issued on Saturday.

“This includes passwords and keys used to access any external systems with which GoAnywhere is integrated.

“Ensure that all credentials have been revoked from those external systems and review relevant access logs related to those systems. This also includes passwords and keys used to encrypt files within the system.”

Fortra also recommends taking the following measures after mitigation in environments with suspicion or evidence of an attack:

  • Rotate your Master Encryption Key.
  • Reset credentials – keys and/or passwords – for all external trading partners/systems.
  • Review audit logs and delete any suspicious admin and/or web user accounts
  • Contact support via the portal, email [email protected], or phone 402-944-4242 for further assistance.