Progress WhatsUp Gold is vulnerable to a critical severity flaw that may allow an attacker to execute remote code on the affected system. Tracked as CVE-2024-8785, the vulnerability has a CVSS score of 9.8. The PoC exploit code for the vulnerability has been made public by the security researchers who discovered the vulnerability.
Progress addressed five other vulnerabilities in the security advisory. The CVEs are as follows:
- CVE-2024-46908, CVE-2024-46907, & CVE-2024-46906: The SQL Injection vulnerability allows an authenticated user with ‘Report Viewer’ permissions to escalate privilege to the admin account.
- CVE-2024-46905: The SQL Injection vulnerability allows an authenticated attacker with ‘Network Manager’ permissions to achieve privilege escalation to the admin account.
- CVE-2024-46909: A remote, unauthenticated attacker may exploit the vulnerability to execute code in the service account context.
Progress WhatsUp Gold is a network monitoring software that allows users to visualize and manage the status and performance of all devices connected to their network. The software provides a comprehensive view of IT infrastructure and enables quick identification and resolution of potential issues.
CVE-2024-8785
The registry overwrite remote code execution vulnerability exists in the Windows Communication Foundation (WCF) application named NmAPI.exe. The application provides a network management API interface for WhatsUp Gold, listening for and processing incoming requests.
The application implements an UpdateFailoverRegistryValues operation contract. An attacker may invoke the UpdateFailoverRegistryValues operation via a netTcpBinding. This will allow the attacker to create an existing registry value or a new one for any registry path. Modifying the registry value is possible because of the insufficient validation of incoming data.
When the Ipswitch Service Control Manager service (ServiceControlManager.exe) restarts, it reads various manifest files from the attacker-controlled host. The files define the processes started by ServiceControlManager.exe. To start an attacker-controlled executable, the attacker can add a <ServerProcess> element in WhatsUpPlatform-PluginManifest.xml.
Affected Versions
The vulnerability impacts Progress WhatsUp Gold versions below 24.0.1.
Mitigation
Customers must upgrade to Progress WhatsUp Gold version 24.0.1 or later to patch the vulnerability.
For more information, please refer to the Progress WhatsUp Gold Security Bulletin– September 2024.
Qualys Detection
Qualys customers can scan their devices with QID 382507 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-September-2024
