A critical vulnerability, recently discovered in Progress’s WhatsUp Gold network monitoring application, is being actively exploited in the wild by threat actors. The flaw, designated CVE-2024-4885, is a remote code execution (RCE) flaw that could allow unauthenticated threat actors to execute commands with elevated permissions.
Despite Progress patching CVE-2024-4885 and 14 other critical severity vulnerabilities in June 2024, threat actors have been targeting unpatched instances of WhatsUp Gold using at least one publicly available Proof-of-Concept (PoC) exploit since the beginning of August.
The attack begins when the exploit sends a request to an exposed WhatsUp Gold instance. The request contains a specifically crafted configuration that includes the URL to a threat actor-controlled web server and the user ID the targeted server should respond with. The targeted server responds to the threat actor’s server with the username and encrypted password associated with the user ID, which is then used to send and receive further requests and responses from the targeted server. These requests ultimately cause a file to be written on the targeted server, which is then launched remotely for code execution.
Progress is encouraging users of the affected versions of WhatsUp Gold to update as soon as possible. For those unable to upgrade, the company recommends monitoring exploitation attempts at the '/NmAPI/RecurringReport' endpoint and implementing firewall rules to restrict access to trusted IP addresses on ports 9642 and 9643.
Source: Bleeping Computer
Analysis
CVE-2024-4885 serves as a good reminder for organizations of the importance of maintaining a high patching cadence. Organizations that patched affected systems shortly after the update was released are not affected and the public availability of a PoC has no impact.
The vulnerability also serves to remind administrators that network monitoring applications, and other sensitive software that requires remote access, should be properly configured so that it isn’t accessible to unauthorized users. If this were the case for every WhatsUp instance, threat actors would not have been able to target any vulnerable versions since they would not have been able to establish a connection in the first place.
The exploitation of CVE-2024-4885 will likely decrease as organizations work to update unpatched versions and configure them so they aren’t exposed to the open internet.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like WhatsUp Gold. Field Effect MDR users were automatically notified if a vulnerable version of WhatsUp Gold was detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends users of affected WhatsUp Gold versions update to the latest version as soon as possible, in accordance with the advisory. Additionally, Field Effect recommends placing all network monitoring software servers, such as WhatsUp Gold, behind a firewall and ensuring they are accessible only internally or by trusted IP addresses.
Related Articles
