I’m reading about a [large breach](https://vulnera.com/newswire/brightline-data-breach-affects-over-780k-pediatric-mental-health-patients/) of Protected Health Information (PHI) that affected over 780,000 patients. From the article:
> The breach occurred after a ransomware gang exploited a zero-day vulnerability ([CVE-2023-0669](https://nvd.nist.gov/vuln/detail/CVE-2023-0669)) in the company’s Fortra GoAnywhere MFT secure file-sharing platform.
The description of the problem comes from NIST’s National Vulnerability Database (2nd link)”
> Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.
My understanding of a zero-day vulnerability is that it means there’s a publicly known weakness that hasn’t been fixed yet, but I haven’t found simplified explanations of how the hackers got the data.
Pre-Authentication is a point in time: before the user has logged in. Ergo, this is an attack that does not require a user to be logged in. Hence, no username or password is even required to try abusing it. (as opposed to something that requires you at least be logged in first).
So this is quite serious in that the only thing preventing an attacker from going at it would be they need to get connected first. If this service is just on the internet, yeah that’s a huge problem.
Next we have “command injection”. Injection means the attacker can craft something of their own choosing and send it to the server to have it acted on. In this case, a “command”. A bit vague, and I don’t know anything about the app in question. I’m guessing you could run command-line programs on the server of your own choosing. Or something similar.
zero-day vulnerability refers to a vulnerability that is used before it’s made public. It’s a new one not an old one. Pre-authentication means it’s ran before the username and password is seen as correct so it could be ran by anyone. Command injection means your injecting a command into something. Generally for something like this, the username field is used to inject a command by typing something into the username field that allows for a command to be ran on the server without valid permissions.
Full description here:
But basically preauth means you don’t need to login, and command injection at this level means the attacker can just send a script that the program reading it through some flaw will just start executing. Zero day is the day it was known about publicly, either from being found in use in the wild, or from someone publishing details. That turns it into a race between hackers trying to usefully exploit it, and developers trying to patch it.
This exploit is specifically to do with Java Deserialization. The server basically takes some user submitted data which is some form of encrypted software licence data and just decrypts it and turns it into a Java Object. There’s a few layers needed to exploit it like pulling the encryption key from a copy of the server code so you can encrypt the data, and some misconfiguration that allows an attacker to gain access to an admin console login/auth endpoint that isn’t normally publicly exposed, but that’s just how lots of vulnerabilities sneak by into big projects.
Sounds like they just searched for servers running the old unpatched version. This one was patched almost immediately by Fortra on 6 Feb, but that still requires updating. If I was looking to hack medical data, I would look for stuff like this and then probe for servers still running the old version.