I’m reading about a [large breach](https://vulnera.com/newswire/brightline-data-breach-affects-over-780k-pediatric-mental-health-patients/) of Protected Health Information (PHI) that affected over 780,000 patients. From the article:
> The breach occurred after a ransomware gang exploited a zero-day vulnerability ([CVE-2023-0669](https://nvd.nist.gov/vuln/detail/CVE-2023-0669)) in the company’s Fortra GoAnywhere MFT secure file-sharing platform.
The description of the problem comes from NIST’s National Vulnerability Database (2nd link)”
> Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.
My understanding of a zero-day vulnerability is that it means there’s a publicly known weakness that hasn’t been fixed yet, but I haven’t found simplified explanations of how the hackers got the data.
In: 1
Full description here:
https://attackerkb.com/topics/mg883Nbeva/cve-2023-0669/rapid7-analysis?utm_source=rapid7site&utm_medium=referral&utm_campaign=etr_anywheremft
But basically preauth means you don’t need to login, and command injection at this level means the attacker can just send a script that the program reading it through some flaw will just start executing. Zero day is the day it was known about publicly, either from being found in use in the wild, or from someone publishing details. That turns it into a race between hackers trying to usefully exploit it, and developers trying to patch it.
This exploit is specifically to do with Java Deserialization. The server basically takes some user submitted data which is some form of encrypted software licence data and just decrypts it and turns it into a Java Object. There’s a few layers needed to exploit it like pulling the encryption key from a copy of the server code so you can encrypt the data, and some misconfiguration that allows an attacker to gain access to an admin console login/auth endpoint that isn’t normally publicly exposed, but that’s just how lots of vulnerabilities sneak by into big projects.
Latest Answers