Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: multiple critical RCE vulnerability in progress WhatsUp Gold, patch immediately!
Image
Published : 27/06/2024
Reference:
Advisory #2024-97
Version:
1.1
Affected software:
Progress WhatsUp Gold 23.1.2 and older
Type:
Remote Code Execution (RCE)
CVE/CVSS:
CVE-2024-4883 :CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-4884 :CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-4885 :CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-5008 :CVSS 8.8(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Sources
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024
Risks
Multiple vulnerabilities leading to unauthenticated Remote Code Execution (RCE) were discovered in Progress WhatsUp Gold. These vulnerabilities could allow an attacker without valid credentials to execute malicious code on the systems. Exploitation of these vulnerabilities could lead to a complete compromise of your environment, data exfiltration and ransomware deployment.
Description
CVE-2024-4883: An unauthenticated attacker could get RCE as a service account through NmApi.exe.
CVE-2024-4884: An unauthenticated attacker could get RCE using Apm.UI.Areas.APM.Controllers.CommunityController executing commands with iisapppool
nmconsole privileges.
CVE-2024-4885: An unauthenticated attacker could get RCE using WhatsUp.ExportUtilities.Export.GetFileWithoutZip executing commands with iisapppool
nmconsole privileges.
Update 2024-08-08: Proof-of-concept exploits for CVE-2024-4885 are publicly available that target exposed WhatsUp Gold '/NmAPI/RecurringReport' endpoints. These Proof-of-concept are now actively exploited.
CVE-2024-5008: An authenticated user with the necessary permissions can upload an arbitrary file and get RCE using Apm.UI.Areas.APM.Controllers.Api.Applications.AppProfileImportController.
Remark: Progress has fixed other vulnerabilities detailed in their advisory. These are: CVE-2024-5009, CVE-2024-5010, CVE-2024-5011, CVE-2024-5012, CVE-2024- 5013, CVE-2024-5014, CVE-2024-5015, CVE-2024-5016, CVE-2024-5017, CVE-2024-5018, CVE- 2024-5019.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion. In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.