A proof-of-concept (PoC) exploit for a critical-severity remote code execution flaw in Progress WhatsUp Gold has been published, making it critical to install the latest security updates as soon as possible.
The flaw is tracked as CVE-2024-8785 (CVSS v3.1 score: 9.8) and was discovered by Tenable in mid-August 2024. It exists in the NmAPI.exe process in WhatsUp Gold versions from 2023.1.0 and before 24.0.1.
Manipulating the Windows Registry
When launched, NmAPI.exe provides a network management API interface for WhatsUp Gold, listening for and processing incoming requests.
Due to insufficient validation of incoming data, attackers could send specially crafted requests to modify or overwrite sensitive Windows registry keys that control where WhatsUp Gold configuration files are read from.
“An unauthenticated remote attacker can invoke the UpdateFailoverRegistryValues operation via a netTcpBinding at net.tcp://<target-host>:9643,” reads Tenable’s writeup.
“Through the UpdateFailoverRegistryValues operation, the attacker can change an existing registry value or create a new one for any registry path under HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\.”
“Specifically, the attacker can change HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\Network Monitor\WhatsUp Gold\Setup\InstallDir to a UNC path pointing to a host controlled by the attacker (i.e., \\<attacker-ip>\share\WhatsUp).”
The next time the Ipswitch Service Control Manager service restarts, it will read various configuration files from the attacker-controlled remote share, which can be used to start any remote executable the attacker wishes on the vulnerable WhatsUp Gold system.
Apart from the obvious risks that arise from such a scenario, the ability to modify the system registry also gives the attack excellent persistence capabilities, like making changes to startup keys so malicious code is executed upon system boot.
Exploitation of CVE-2024-8785 does not require authentication, and since the NmAPI.exe service is accessible over the network, the risk is significant.
Update WhatsUp Gold now
System administrators managing WhatsUp Gold deployments should upgrade to version 24.0.1 as soon as possible.
Progress Software released security updates addressing CVE-2024-8785 and five more flaws on September 24, 2024, and published the related bulletin here, containing installation instructions.
WhatsUp Gold has been targeted by hackers again recently, with the threat actors leveraging publicly available exploits to attack vulnerable endpoints.
In early August, threat actors used public PoCs for a critical WhatsUp Gold RCE flaw to gain initial access to corporate networks.
In September, hackers used public exploits for two critical SQL injection vulnerabilities in WhatsUp Gold, which enabled them to take over administrator accounts without knowing the password.
Given the recent history of threat actors exploiting critical vulnerabilities in Progress Software’s popular network monitoring solution, it’s imperative to promptly apply the available security updates.
