Executive Summary

CVE-2023-0669 is a critical vulnerability identified in Fortra's GoAnywhere Managed File Transfer (MFT) software. This pre-authentication command injection flaw, found in the License Response Servlet, allows remote attackers to execute arbitrary code on affected systems without prior authentication. The vulnerability has a CVSS score of 9.8, indicating its critical nature. Exploitation of this vulnerability can lead to full system compromise, data exfiltration, and further lateral movement within the network. Immediate action is required to mitigate this threat.

Technical Information

CVE-2023-0669 is a pre-authentication command injection vulnerability in Fortra's GoAnywhere MFT software. The flaw resides in the License Response Servlet, which improperly deserializes user-supplied data. This improper deserialization allows an attacker to inject and execute arbitrary commands on the server, leading to full system compromise.

The vulnerability affects GoAnywhere MFT versions 7.1.1 and earlier. The attack vector is network-based, and the attack complexity is low, meaning that an attacker does not require any special privileges or user interaction to exploit the vulnerability. The CVSS score of 9.8 highlights the critical nature of this flaw.

The technical root cause of the vulnerability lies in the improper handling of serialized data within the License Response Servlet. When the servlet processes user-supplied data, it fails to properly validate and sanitize the input, allowing an attacker to craft malicious serialized objects. These objects can then be deserialized by the servlet, leading to the execution of arbitrary commands on the server.

The impact of exploiting this vulnerability is severe. An attacker can gain full control over the affected system, exfiltrate sensitive data, and move laterally within the network. This can lead to significant data breaches, financial losses, and reputational damage for affected organizations.

Exploitation in the Wild

CVE-2023-0669 has been actively exploited in the wild. Attackers have been observed using this vulnerability to install additional tools such as Netcat and Errors on compromised systems. The exploitation typically involves gaining access to the administrative console of GoAnywhere MFT, which can be exposed to the internet.

Specific instances of exploitation have been reported by various sources. BleepingComputer reported that the CLOP Ransomware group claimed responsibility for attacks leveraging this zero-day vulnerability (https://www.bleepingcomputer.com/news/security/clop-ransomware-claims-to-be-behind-goanywhere-zero-day-attacks/). Packet Storm Security provided details on remote code execution using this vulnerability (http://packetstormsecurity.com/files/171789/Goanywhere-Encryption-Helper-7.1.1-Remote-Code-Execution.html). Rapid7 also analyzed the vulnerability and its exploitation (https://attackerkb.com/topics/mg883Nbeva/cve-2023-0669/rapid7-analysis).

Indicators of Compromise (IOCs) include unusual network traffic to and from the GoAnywhere MFT server, the presence of unexpected tools such as Netcat and Errors on the server, and unauthorized access logs to the administrative console.

APT Groups using this vulnerability

While specific APT groups exploiting CVE-2023-0669 have not been publicly identified, the nature of the vulnerability and its exploitation in the wild suggest that it could be leveraged by advanced threat actors for targeted attacks. The sectors and countries targeted by these APT groups remain unspecified, but the critical nature of the vulnerability makes it a potential tool for sophisticated cyber espionage campaigns.

Affected Product Versions

The following product versions are affected by CVE-2023-0669:

Fortra GoAnywhere MFT: Version 7.1.1 and earlier

Organizations using these versions should take immediate action to mitigate the vulnerability.

Workaround and Mitigation

To mitigate the risk posed by CVE-2023-0669, organizations should implement the following strategies:

Patch and Update: Immediately apply the latest patches provided by Fortra to address this vulnerability. Ensure that all systems running GoAnywhere MFT are updated to the latest version.

Network Segmentation: Ensure that the GoAnywhere MFT administrative console is not exposed to the internet. Use network segmentation to limit access to the administrative console and other critical components.

Monitor and Detect: Implement monitoring solutions to detect unusual activities and potential exploitation attempts. Regularly review access logs and network traffic for signs of compromise.

Access Controls: Enforce strict access controls and multi-factor authentication for accessing the GoAnywhere MFT administrative console. Limit access to authorized personnel only.

References

For more information on CVE-2023-0669, please refer to the following sources:

NVD - CVE-2023-0669: https://nvd.nist.gov/vuln/detail/CVE-2023-0669

Fortra Blog - Summary of the Investigation Related to CVE-2023-0669: https://www.fortra.com/blog/summary-investigation-related-cve-2023-0669

SentinelOne - CVE-2023-0669: Fortra GoAnywhere MFT RCE Vulnerability: https://www.sentinelone.com/blog/cve-2023-0669/

GitHub - CVE-2023-0669: https://github.com/0xf4n9x/CVE-2023-0669

Rapid7 - Remote code injection via admin panel (CVE-2023-0669): https://www.rapid7.com/db/vulnerabilities/goanywhere-cve-2023-0669-remote-code-injection/

Broadcom Inc. - Web Attack: GoAnywhere MFT RCE CVE-2023-0669: https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=34094

Arctic Wolf - CVE-2023-0669: Actively Exploited GoAnywhere MFT Zero-Day: https://arcticwolf.com/resources/blog/actively-exploited-goanywhere-mft-zero-day-vulnerability/

Twingate - CVE-2023-0669 Report - Details, Severity, & Advisories: https://www.twingate.com/blog/tips/cve-2023-0669

UCSF IT - Vulnerability in Servlet in Fortra GoAnywhere: https://it.ucsf.edu/vulnerability-servlet-fortra-goanywhere

Rescana is here for you

At Rescana, we understand the critical importance of protecting your organization from emerging cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help you identify, assess, and mitigate vulnerabilities like CVE-2023-0669. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com. We are here to support you in safeguarding your digital assets and ensuring the security of your operations.