Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2023-0669
CVE-2023-0669:
GoAnywhere MFT vulnerability analysis and mitigation
Overview
Fortra GoAnywhere MFT suffered from a pre-authentication command injection vulnerability (CVE-2023-0669) in the License Response Servlet, discovered between January 28-30, 2023. The vulnerability affected version 7.1.1 and earlier versions of the software, allowing attackers to execute remote code through deserializing arbitrary attacker-controlled objects. The issue was patched in version 7.1.2 (Fortra Blog, Sentinel One).
Technical details
The vulnerability exists in the License Response Servlet of GoAnywhere MFT, where the application deserializes untrusted data without proper validation. The flaw has a CVSS score of 7.2 (High) and requires access to the administrative console for exploitation. The vulnerability stems from the manipulation of an unknown input causing a deserialization vulnerability in the com.linoma.license.gen2.BundleWorker.unbundle method (Frycos Blog, Sentinel One).
Impact
When successfully exploited, the vulnerability allows attackers to execute arbitrary code on vulnerable instances of GoAnywhere MFT with system-level privileges. The unauthorized party was able to create unauthorized user accounts in some MFTaaS customer environments and download files from hosted MFTaaS environments. The attacker also installed additional tools like 'Netcat' and 'Errors.jsp' in some customer environments (Fortra Blog).
Mitigation and workarounds
Fortra released patch version 7.1.2 to address the vulnerability. For immediate mitigation, users were advised to review all administrator users for suspicious activities, rotate Master Encryption Keys, reset all credentials including external trading partners/systems, and review audit logs. Organizations running admin portals exposed to the internet were advised to implement appropriate access controls and limit trusted sources (Fortra Blog).
Community reactions
The vulnerability was initially reported by Brian Krebs on social media, leading to increased awareness in the cybersecurity community. Security researchers, including Kevin Beaumont, noted the significant number of systems exposing administrative ports to the public internet. The incident prompted Fortra to conduct a thorough investigation with Unit 42 and implement continuous improvement actions (Rapid7 Blog).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management