On February 3, 2023, the developers of GoAnywhere MFT (Managed File Transfer) sent an advisory to their customers warning them of a zero-day remote code execution vulnerability being actively exploited in the wild. Exploitation of this vulnerability could allow sensitive data to be leaked and potentially used for extortion.
This vulnerability affects administrator consoles in GoAnywhere MFT, and exploitation of this vulnerability would require access to the administrator console. In most cases, the administrator console is not exposed to the internet and should only be accessible via a private internal network or by an allow-listed IP address. This zero-day vulnerability is affecting both the on-premise and SaaS implementations of GoAnywhere MFT.
Note: The web client interface is not affected by this vulnerability, only the administrator console.
Fortra has released an emergency patch, version 7.1.2, and advised all GoAnywhere MFT customers to apply this patch to their instances as soon as possible to secure themselves from potential attacks.
Arctic Wolf Labs is actively monitoring intelligence sources for additional information linked to this campaign, including relevant and timely indicators of compromise. This vulnerability has been seen actively exploited in campaigns, and PoC exploit code has been made available to the public. Arctic Wolf strongly recommends that all organizations running the affected products apply the emergency patch as soon as possible.
Recommendations for Actively Exploited GoAnywhere MFT Zero-Day Vulnerability
This section provides details on the recommendations that have been provided by Fortra to patch impacted GoAnywhere MFT instances.
Recommendation #1: Patch your GoAnywhere MFT instances
Apply the emergency patch (7.1.2) to your GoAnywhere MFT instance as soon as possible.
You can download the security patch from the “Product Downloads” tab at the top of the GoAnywhere account page after logging in.
Recommendation #2: Apply GoAnywhere Workaround
If your organization is not able to apply the emergency patch, we strongly recommend following GoAnywhere’s mitigation advice to prevent potential exploitation.
- Implement access controls that ensure only trusted sources can access the administrator console.
- Disable the vulnerable licensing server by commenting out or deleting the respective servlet and servlet-mapping configs in the web.xml file. The GoAnywhere Advisory details how to do this.
Recommendation #3: Do Not Expose the administrator console to the Internet
Do not expose GoAnywhere MFT administrator console to the Internet. If connectivity outside of your organization is business critical and required, ensure proper access controls are in place and the server can only be accessed by company assets through a VPN.
References
- Mastodon- Brian Krebs
- Go Anywhere Advisory Note: A user account is required to access the advisory.
- Proof of Concept Exploit
