CVE-2023-2990: 
Globalscape EFT vulnerability analysis and mitigation

Fortra Globalscape EFT (Enterprise File Transfer) versions before 8.1.0.16 are affected by a denial of service vulnerability (CVE-2023-2990). The vulnerability was discovered in June 2023 and allows an attacker to cause infinite recursion and crash the service by sending a compressed message that decompresses to itself (Rapid7 Blog, NVD).

The vulnerability exists in the administration server's message handling functionality, specifically when processing compressed messages. When a message with ID 0xff7f is received, the server attempts to decompress it. If the message is crafted to be a compression 'quine' (a message that decompresses to itself), it causes infinite recursion in the decompression function, leading to stack exhaustion and service crash. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (NVD).

When successfully exploited, this vulnerability results in a denial of service condition that crashes the Globalscape EFT server. This affects the availability of the file transfer service, potentially disrupting business operations that rely on the EFT server for file transfers (Rapid7 Blog).

The vulnerability is fixed in Globalscape EFT version 8.1.0.16. For systems that cannot be immediately updated, several mitigation steps are recommended: limit access to administer EFT at the network level, do not expose port 1100 to the internet, whitelist trusted IPs, and consider allowing administration only via localhost (::1 or 127.0.0.1) (Globalscape KB).