GoAnywhere MFT CVE-2023-0669

Overview

On 1st February 2023 Fortra released a security advisory for a zero-day remote code injection vulnerability in their GoAnywhere MFT (Managed File Transfer) product. There were two aspects of this vulnerability that immediately suggested this issue would be quickly and widely exploited.

  • Managed file transfer solutions are generally more relevant to larger organisations with a need to manage significant volumes of data. This makes every deployment a potentially valuable target to an attacker, in other words this type of product has a very high exploit ROI. 

  • The skill set needed to analyse and produce exploits for Java deserialisation vulnerabilities is now relatively widespread; exploit variations can be produced and deployed relatively easily and, once developed, an exploit will tend to run reliably most of the time. Vulnerabilities of this type are frequently listed in the CISA's Known Exploited Vulnerabilities Catalog.

The vulnerability is a little unusual in that the exploit payload needs to be encrypted. The vulnerable code is in a license activation function so the encryption was, presumably, intended to prevent license spoofing. Unfortunately the encryption construction uses a key derived from a hard-coded password so reverse engineering the cryptographic construction and the key turned out be be relatively straightforward.

Deployment Metrics

At the time of writing we were able to identify 769 distinct IP addresses that expose GoAnywhere MFT's Web Client interface. Extending the analysis to the past 12 months reveals 1880 distinct IP addresses that have exposed the Web Client interface at some point during that 12 month period. The variation is likely to be a result of short-lived evaluation or test deployments that are no longer available. 

This vulnerability impacts the product’s administrative interface, in a typical deployment this interface might not (and should not) be directly reachable from the Internet. Our analysis shows that there are 386 IP addresses that currently expose the administrative interface to the Internet. While this is not a huge number, it still means that a significant volume of sensitive data may be at risk. This data also suggests that 50% of discoverable Internet facing deployments expose the administrative interface to the Internet, this metric may be skewed by test/evaluation deployments but it is still a worryingly high proportion.

The chart below shows the current, and historic, distribution of GoAnywhere versions with administrative interfaces on the Internet. Note that only version 7.1.2 contains the patch for CVE-2023-0669 but the vendor has provided mitigation guidance for the other versions, so the use of an older version doesn’t necessarily indicate that the deployment is still vulnerable.

CVE-2023-0669: GoAnywhere admin interfaces on the Internet.

Check Your Blind Spot

It is noteworthy that this is a relatively niche product that was originally developed by a small software vendor. Products of this shape can often represent something of a blind spot in an organisation's attack surface even though they present a very tempting target to a hacker. As larger vendors continue to improve their internal security engineering processes, it is likely that we will see a continuing increase in the level of focus on this type of product.

When a vulnerability is identified in a rarely used product it can take valuable time to work out how to discover instances that form part of your attack surface. Our EdgeScope product reduces this time to almost zero by providing a fully searchable index of responses from across your attack surface. For this issue, simply typing "GoAnywhere" into EdgeScope's search page would have identified all instances of this product that were present in your attack surface in a few milliseconds.

Lessons Learned

Looking at the nature of this vulnerability, there are two clear actions that organisations can take to reduce their exposure to similar issues in the future:

  • Lock down administrative interfaces: In their security advisory, Fortra quite correctly noted that the vulnerable administrative interface should only be reachable from a trusted network. In practice, as the above data shows, this type of vendor security guidance is not always followed. In the real-world there are a multitude of reasons why an organisation may choose to deploy a product in a way that deviates from the vendor's guidance, however, when it comes to administrative interfaces we strongly recommend making sure that there is, at the very least, a mechanism in place to prevent direct access from the Internet. 

  • Be prepared to respond quickly: It is a certainty that we will see a continuing stream of vulnerabilities that impact the 'dark corners' of an organisation's attack surface. If you aren’t in a position to respond quickly to this type of emerging threat then it is simply a matter of time before one of those dark corners turns into a network breach. Our EdgeScope Attack Surface Management tool was designed to enable security teams to instantly find and analyse your exposure to this type of threat. In the current environment some level of automated surface analysis is a critical requirement.

Need any Help?

Our EdgeScope Attack Surface Management tool, and our range of consulting services, are designed to help you identify, analyse, and mitigate security risks that impact your network. For more details please get in touch.

Further Reading

Vendor Advisory (an account with the vendor is needed to view this):
https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml#zerodayfeb1

Frycos Security Diary has a great analysis of the underlying vulnerability:
https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html

NIST NVD Entry:
https://nvd.nist.gov/vuln/detail/CVE-2023-0669

EdgeScope Attack Surface Management:
https://www.secmatics.com/edgescope

The CISA's Known Exploited Vulnerabilities Catalog:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Previous
Previous

Understanding Attack Surface