A proof-of-concept (PoC) exploit for a critical-severity distant code execution flaw in Progress WhatsUp Gold has been revealed, making it essential to put in the newest safety updates as quickly as potential.
The flaw is tracked as CVE-2024-8785 (CVSS v3.1 rating: 9.8) and was found by Tenable in mid-August 2024. It exists within the NmAPI.exe course of in WhatsUp Gold variations from 2023.1.0 and earlier than 24.0.1.
Manipulating the Home windows Registry
When launched, NmAPI.exe supplies a community administration API interface for WhatsUp Gold, listening for and processing incoming requests.
As a consequence of inadequate validation of incoming information, attackers might ship specifically crafted requests to change or overwrite delicate Home windows registry keys that management the place WhatsUp Gold configuration recordsdata are learn from.
“An unauthenticated remote attacker can invoke the UpdateFailoverRegistryValues operation via a netTcpBinding at net.tcp://<target-host>:9643,” reads Tenable’s writeup.
“Through the UpdateFailoverRegistryValues operation, the attacker can change an existing registry value or create a new one for any registry path under HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeIpswitch.”
“Specifically, the attacker can change HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeIpswitchNetwork MonitorWhatsUp GoldSetupInstallDir to a UNC path pointing to a host controlled by the attacker (i.e., <attacker-ip>shareWhatsUp).”
The following time the Ipswitch Service Management Supervisor service restarts, it’s going to learn numerous configuration recordsdata from the attacker-controlled distant share, which can be utilized to start out any distant executable the attacker needs on the weak WhatsUp Gold system.
Aside from the plain dangers that come up from such a situation, the flexibility to change the system registry additionally provides the assault wonderful persistence capabilities, like making modifications to startup keys so malicious code is executed upon system boot.
Exploitation of CVE-2024-8785 doesn’t require authentication, and because the NmAPI.exe service is accessible over the community, the danger is critical.
Replace WhatsUp Gold now
System directors managing WhatsUp Gold deployments ought to improve to model 24.0.1 as quickly as potential.
Progress Software program launched safety updates addressing CVE-2024-8785 and 5 extra flaws on September 24, 2024, and revealed the associated bulletin right here, containing set up directions.
WhatsUp Gold has been focused by hackers once more not too long ago, with the risk actors leveraging publicly out there exploits to assault weak endpoints.
In early August, risk actors used public PoCs for a essential WhatsUp Gold RCE flaw to acquire preliminary entry to company networks.
In September, hackers used public exploits for 2 essential SQL injection vulnerabilities in WhatsUp Gold, which enabled them to take over administrator accounts with out understanding the password.
Given the latest historical past of risk actors exploiting essential vulnerabilities in Progress Software program’s in style community monitoring resolution, it is crucial to promptly apply the out there safety updates.
