Black Arrow Cyber Advisory 08 August 2024 – Critical WhatsUp Gold RCE Vulnerability
Executive summary
Progress Software has released patches for WhatsUp Gold, a network monitoring application. The patches fix three critical vulnerabilities including one which is seeing active exploitation attempts. The actively exploited critical vulnerability (CVE-2024-4885) allows an unauthenticated malicious attacker to perform remote code execution with elevated privileges. The other two critical vulnerabilities (CVE-2024-4883 and CVE-2024-4884) allow an unauthenticated attacker to perform remote code execution with elevated privileges.
What’s the risk to me or my business?
The vulnerability CVE-2024-4885 allows unauthenticated remote code execution, enabling attackers to execute arbitrary commands with elevated privileges (service account). Exploitation of this flaw can lead to severe consequences, including unauthorised access to sensitive data, disruption of network monitoring services and potential lateral movement within the network.
Increased risk of further exploitation through other vulnerabilities
Active exploitation attempts have been observed since August 1, 2024, highlighting the urgency for businesses to address this vulnerability. Failure to mitigate this risk could result in significant financial and reputational damage.
What can I do?
Security researchers have uncovered active exploitation attempts of CVE-2024-4885 in the wild, dating back to the 1st of August. Given the severity of this vulnerability, which impacts all versions released prior to 2023.1.3, immediate action is advised. Black Arrow strongly recommends the prompt application of the available patches to mitigate the risk.
Technical Summary
CVE-2024-4885 – If successfully exploited this vulnerability, in the WhatsUp.ExportUtilities.Export.GetFileWithoutZip function, allows an unauthenticated attacker to execute of commands as a service account through NmApi.exe.
CVE-2024-4884 - If successfully exploited, this vulnerability allows an unauthenticated attacker to execute commands with iisapppool\nmconsole privileges. The vulnerability specifically exists in Apm.UI.Areas.APM.Controllers.CommunityController.
CVE-2024-4883 - If successfully exploited, this vulnerability allows an unauthenticated attacker to execute commands with iisapppool\nmconsole privileges. The vulnerability specifically exists in Apm.UI.Areas.APM.Controllers.CommunityController.
Further information on WhatsUp Gold can be found here:
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity