Last updated at Tue, 27 Feb 2024 17:15:15 GMT
On January 22, 2024, Fortra published a 安全咨询 on CVE-2024-0204, a critical authentication bypass affecting its GoAnywhere管辖 secure managed file transfer product prior to version 7.4.1. The vulnerability is remotely exploitable 和 allows an unauthorized user to create an admin user via the administration portal. Fortra lists the root cause of CVE-2024-0204 as CWE-425:强制浏览 , which is a weakness that occurs when a web application does not adequately enforce authorization on restricted URLs, 脚本, 或文件.
Fortra evidently addressed this vulnerability in a 2023年12月7日发布 of GoAnywhere管辖, but it would appear they did not issue an advisory until now. 根据 一个屏幕截图 穆罕默德·埃尔迪布, the researcher who discovered the vulnerability, private communications went out to GoAnywhere管辖 customers circa December 4. Fortra has since indicated to news outlets that CVE-2024-0204 was not exploited in the wild at time of disclosure.
In February 2023, a zero-day vulnerability (cve - 2023 - 0669) in GoAnywhere管辖 was exploited in a 大规模勒索活动 conducted by the Cl0p ransomware group. 从福特拉的情况看不清楚 最初的咨询 whether CVE-2024-0204 has been exploited in the wild, but we would expect the vulnerability to be targeted quickly if it has not come under attack already, particularly since the fix has been available to reverse engineer for more than a month. Rapid7 strongly advises GoAnywhere管辖 customers to take emergency action.
缓解指导
CVE-2024-0204 affects the following versions of GoAnywhere管辖:
- Fortra GoAnywhere管辖 6.从6选X.0.1
- Fortra GoAnywhere管辖 7.7点前的X.4.1
GoAnywhere管辖 customers who have not already updated to a fixed version (7.4.1 or higher) should do so on an emergency basis, without waiting for a regular patch cycle to occur. Organizations should also ensure that administrative portals are not exposed to the public internet.
根据 供应商咨询, “the vulnerability may also be eliminated in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory 和 restarting the services. For container-deployed instances, replace the file with an empty file 和 restart. 有关其他信息,请参见 http://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml (需要注册).”
If you are unable to update to a fixed version, Fortra has offered two manual mitigation pathways:
- 删除
InitialAccountSetup.xhtmlfile in the installation directory 和 restarting the services. - 取代了
InitialAccountSetup.xhtmlfile with an empty file 和 restarting the services.
Rapid7客户
InsightVM 和 Nexpose customers are able to assess their exposure to CVE-2024-0204 with an unauthenticated vulnerability check (vuln ID: goanywhere - cve - 2024 - 0204) available in the content update released on January 23 at 3:20pm ET.
更新
2024年1月23日: Updated to note that the vulnerability appears to have been communicated to GoAnywhere管辖 customers privately in early December. 缓解指导 updated to reinforce that administrative portals should not be exposed to the public internet.
2024年1月24日: Updated to reflect that Fortra has indicated CVE-2024-0204 was not exploited in the wild at time of public disclosure.
