Several days after news of exploit attempts against a zero day vulnerability in the GoAnywhere MFT secure file transfer tool emerged, Fortra, the tool’s maker, has released an emergency fix for the bug.
Details of the attacks became public last week, and Fortra published an advisory for customers, warning them about the attacks and suggesting they deploy some mitigations and access control measures in the absence of an official patch. The vulnerability is a critical one and allows remote code injection.
“A Zero-Day Remote Code Injection exploit was identified in GoAnywhere MFT. The attack vector of this exploit requires public internet access to the administrative console of the application,” the Fortra advisory says.
“Due to the nature of the attack, it is critical to note that every managed credential within your GoAnywhere environment should be considered potentially compromised. This includes passwords and keys used to access any external systems with which GoAnywhere is integrated. Ensure that all credentials have been revoked from those external systems and review relevant access logs related to those systems. This also includes passwords and keys used to encrypt files within the system.”
GoAnywhere MFT is a file transfer product that can be deployed in enterprise networks, as a hosted SaaS product, or on cloud platforms such as AWS.
On Monday, Fortra released an emergency fix for the GoAnywhere MFT bug, which does not have a CVE identifier as of yet.
“A security patch is now available in GoAnywhere MFT. This patch (7.1.2) was created as a result of the issue we disclosed in the Security Advisories published last week related to GoAnywhere MFTaaS. We urgently advise all GoAnywhere MFT customers to apply this patch,” the patch release notification says.
“Particularly for customers running an admin portal exposed to the Internet, we consider this an urgent matter.”
The updated version of GoAnywhere MFT is version 7.12.