GoAnywhere MFT (Managed File Transfer) is a secure file transfer solution suitable for organizations of all sizes, from small businesses to large enterprises with complex file transfer requirements.

It’s a streamlined service for environments that demand high confidentiality in terms of storing, transferring, and accessing data, offering features such as role-based access control, integration with various authentication providers (including LDAP, Active Directory, and OAuth), and many more.

The Vulnerability

Today we’re dealing with a vulnerability that is usually not very exposed, meaning the attacker needs to have elevated privileges to exploit it. More precisely, the vulnerable part is the admin panel, which in practice doesn’t need to be exposed to the internet, and should be accessible only through a local network or VPN.

This 7.8 CVSS-scored zero-day vulnerability suffers from CWE-502 (deserialization of untrusted data), which we’ve already dealt with in the XStream library vulnerability (CVE-2021-39144). CWE-502 describes a lack of data validation after the deserialization, which allows an attacker to craft a serialized dataset including the malicious code that gets interpreted or executed.

Unfortunately, Fortra’s official advisory is for “paying customers only”. From a non-ethical point of view, we can’t argue with their logic: it makes it easier to sell faulty software. Our colleagues at AttackerKB have done an excellent analysis of the vulnerable app by decompiling it using Skylot’s jadx (Dex to Java decompiler).

According to their analysis, this vulnerability results from bad implementation of encryption. The application uses a static string to generate a key, which is used to encrypt sensitive data. An attacker can easily obtain this key by following a few short steps and decompiling the app, then using it to decrypt sensitive data, including credentials stored in the system database.

To exploit the vulnerability, an attacker can intercept a specific request to the server, add a parameter with the decrypted credentials, and then send the modified request to the server. The server, which is expecting encrypted data, decrypts the attacker's payload, allowing the attacker to obtain sensitive information from the server's database.

Overall, this vulnerability highlights the importance of proper input validation and secure coding practices, such as avoiding hardcoding encryption keys and using strong, randomly generated encryption keys. It also underscores the need for regular security testing and code audits to identify and mitigate vulnerabilities before they can be exploited by attackers.

Affected Versions & Mitigation

The vulnerability is present all the way up to (but not included in) version 7.1.2, considering we’re talking about a zero-day.

It’s normal for software products to have flaws, so whether or not they are known, we should always maintain a careful approach. Having that said - there is no reason for an admin console for this sort of solution to be accessible from the internet, just like there is no need for your home router’s admin panel to be accessible from the internet. Currently, we are scanning the web for this vulnerability (among many others). We strongly encourage you to follow us and find out, as soon as scanning results are published, whether your IPs are listed.

Outsourcing security audits can be a smart decision even if a company has proper in-house IT security personnel. This is because an outside auditor can bring a fresh perspective on the security protocols and practices that are currently in place. An internal IT team may be biased towards certain systems or processes, and may not be able to identify blind spots or weaknesses in the system that an external auditor could spot more easily.

Finally, outsourcing security audits can also provide an added layer of accountability. If an external auditor identifies security risks that the internal IT team missed, it can help ensure that the company takes the necessary steps to address them. This can help avoid the "not my problem" mentality that sometimes arises in large organizations, and ensure that everyone is working towards a common goal of keeping the company's information and systems secure.

Subscribe to be updated on the new content!

Subscription Form (#4)