CISA adds Fortra GoAnyWhere MFT RCE Vulnerability (CVE-2023-0669) to their Known Exploited Vulnerabilities Catalog
Dark Lab on Feb 24 2023
Share:
Affected Products: GoAnywhere MFT
Impact: RCE
PoC: Yes - https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html
Exploit in the wild: Yes
Discussion in SOCINT/DARKINT:
Known TA exploiting this CVE: TA505, Cl0p Ransomware
IoC:
As soon as possible, please follow the steps below to determine whether the GoAnywhere MFT instance(s) you have running have been targeted for this exploit.
Search for the following:
Errors containing the text “/goanywhere/lic/accept”
NOTE: By default there are 10 logs that are archived when a log size reaches 5 MB. [system_name] represents each system or node in your cluster. You should search all of these 10 archive logs for all systems/nodes search the userdata/logs/[system_name]-goanywhere.log* files on your system in your cluster. Standalone (non-HA) logs will be goanywhere.log, goanywhere.log1, goanywhere.log2, etc.)
Errors containing the text “Error parsing license response”
The following additional error has been observed and may further confirm unauthorized access has taken place:
java.lang.RuntimeException: InvocationTargetException: java.lang.reflect.InvocationTargetException
at org.apache.commons.beanutils.BeanComparator.compare(BeanComparator.java:171)
at java.util.PriorityQueue.siftDownUsingComparator(PriorityQueue.java:721)
at java.util.PriorityQueue.siftDown(PriorityQueue.java:687)
at java.util.PriorityQueue.heapify(PriorityQueue.java:736)
at java.util.PriorityQueue.readObject(PriorityQueue.java:796
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.
Successful exploitation requires access to the admin console of the application, which in most cases is accessible via a private company network, via VPN, or by allow-listed IP addresses. If the admin console is publicly-exposed, access controls are required to limit trusted sources and minimize the risk of infiltration by malicious actors. Only the administrative interface is susceptible to exploitation, public-facing Web Client interfaces are not susceptible to this exploit, though according to best practices should also not be exposed to the internet.
The vulnerability has been observed to be leveraged by threat actors leveraging the Cl0p ransomware.
Fortra released a patch for the vulnerability (GoAnyWhere MFT 7.1.2) on 8 February 2023 and subsequently provided an updated security advisory on 13 February 2023 with further mitigation and remediation advice.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://nvd.nist.gov/vuln/detail/CVE-2023-0669
https://attackerkb.com/topics/mg883Nbeva/cve-2023-0669/rapid7-analysis
https://duo.com/decipher/fortra-patches-actively-exploited-zero-day-in-goanywhere-mft
https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html
https://github.com/rapid7/metasploit-framework/pull/17607
https://infosec.exchange/@briankrebs/109795710941843934
https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1
https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/
Impact: RCE
PoC: Yes - https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html
Exploit in the wild: Yes
Discussion in SOCINT/DARKINT:
Known TA exploiting this CVE: TA505, Cl0p Ransomware
IoC:
As soon as possible, please follow the steps below to determine whether the GoAnywhere MFT instance(s) you have running have been targeted for this exploit.
Search for the following:
Errors containing the text “/goanywhere/lic/accept”
NOTE: By default there are 10 logs that are archived when a log size reaches 5 MB. [system_name] represents each system or node in your cluster. You should search all of these 10 archive logs for all systems/nodes search the userdata/logs/[system_name]-goanywhere.log* files on your system in your cluster. Standalone (non-HA) logs will be goanywhere.log, goanywhere.log1, goanywhere.log2, etc.)
Errors containing the text “Error parsing license response”
The following additional error has been observed and may further confirm unauthorized access has taken place:
java.lang.RuntimeException: InvocationTargetException: java.lang.reflect.InvocationTargetException
at org.apache.commons.beanutils.BeanComparator.compare(BeanComparator.java:171)
at java.util.PriorityQueue.siftDownUsingComparator(PriorityQueue.java:721)
at java.util.PriorityQueue.siftDown(PriorityQueue.java:687)
at java.util.PriorityQueue.heapify(PriorityQueue.java:736)
at java.util.PriorityQueue.readObject(PriorityQueue.java:796
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.
Successful exploitation requires access to the admin console of the application, which in most cases is accessible via a private company network, via VPN, or by allow-listed IP addresses. If the admin console is publicly-exposed, access controls are required to limit trusted sources and minimize the risk of infiltration by malicious actors. Only the administrative interface is susceptible to exploitation, public-facing Web Client interfaces are not susceptible to this exploit, though according to best practices should also not be exposed to the internet.
The vulnerability has been observed to be leveraged by threat actors leveraging the Cl0p ransomware.
Fortra released a patch for the vulnerability (GoAnyWhere MFT 7.1.2) on 8 February 2023 and subsequently provided an updated security advisory on 13 February 2023 with further mitigation and remediation advice.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://nvd.nist.gov/vuln/detail/CVE-2023-0669
https://attackerkb.com/topics/mg883Nbeva/cve-2023-0669/rapid7-analysis
https://duo.com/decipher/fortra-patches-actively-exploited-zero-day-in-goanywhere-mft
https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html
https://github.com/rapid7/metasploit-framework/pull/17607
https://infosec.exchange/@briankrebs/109795710941843934
https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1
https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/