- The GoAnywhere MFT (Managed File Transfer) faces a zero-day remote code injection exploit and a patch is not yet available.
- The vulnerability allows unauthorized people to gain access to the administrative console of an application, which means they can change or delete information.
- The company has issued a security advisory which is behind a membership wall, which shows ways to evaluate and mitigate your possible exposure to the exploit.
The GoAnywhere MFT (managed file transfer) is a storage device that can be used with any operating system. It is developed to provide convenient and reliable backup of data stored on your computer’s hard drive, as well as remote access to files and folders. Fortra’s GoAnywhere MFT is warning users about a zero-day remote code injection exploit. The company is taking steps to address the issue by temporarily shutting down its service.
How to spot if you have been affected
The vulnerability is utilized to get access to the administrative console of an application, which means malicious actors can do things like change or delete information. So it’s essential to keep the application safe from being accessed by the public internet. Since this exploit requires access to the administrative console of the application, which is usually only accessible from within a private company network, through a VPN, or if the application is running in a cloud environment, such as Azure or AWS.
On its security advisory, which security reporter Brian Krebs provided since the advisory seems to be only accessible by members, the company provided ways to evaluate and mitigate your possible exposure to the exploit:
1. Review all administrator users
Evaluate your admin user accounts for anything suspicious. Key indicators on these accounts include unrecognized usernames. You can view more details by clicking the cog icon next to any User Name listed and selecting the “View” option.
If the timing of the account creation seems recent or suspicious, investigate further. You can search the Administration log for activity (Reporting -> Audit Logs -> Administration). Search for anything created by the root user. Click the magnifying glass next to the log of suspicious activity to view more details.
2. Apply mitigation configuration
On the file system where GoAnywhere MFT is installed, edit the file [install_dir]/adminroot/WEB_INF/web.xml. Find and remove (delete or comment out) the following servlet and servlet-mapping configuration in the screenshot below.
If GoAnywhere MFT is clustered, this change needs to happen on every instance node in the cluster.
Fortra has not released a patch or update as of writing this.