www.belgium.be Logo of the federal government

WARNING: MULTIPLE CRITICAL RCE VULNERABILITY IN PROGRESS WHATSUP GOLD, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-97
Version: 
1.1
Affected software: 
Progress WhatsUp Gold 23.1.2 and older
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 

CVE-2024-4883 :CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-4884 :CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-4885 :CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-5008 :CVSS 8.8(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Sources

​https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-June-2024

Risks

Multiple vulnerabilities leading to unauthenticated Remote Code Execution (RCE) were discovered in Progress WhatsUp Gold. These vulnerabilities could allow an attacker without valid credentials to execute malicious code on the systems. Exploitation of these vulnerabilities could lead to a complete compromise of your environment, data exfiltration and ransomware deployment.

Description

CVE-2024-4883: An unauthenticated attacker could get RCE as a service account through NmApi.exe.

CVE-2024-4884: An unauthenticated attacker could get RCE using Apm.UI.Areas.APM.Controllers.CommunityController executing commands with iisapppool
nmconsole privileges.
 
CVE-2024-4885: An unauthenticated attacker could get RCE using WhatsUp.ExportUtilities.Export.GetFileWithoutZip executing commands with iisapppool
nmconsole privileges.
Update 2024-08-08: Proof-of-concept exploits for CVE-2024-4885 are publicly available that target exposed WhatsUp Gold '/NmAPI/RecurringReport' endpoints. These Proof-of-concept are now actively exploited.
 
CVE-2024-5008: An authenticated user with the necessary permissions can upload an arbitrary file and get RCE using Apm.UI.Areas.APM.Controllers.Api.Applications.AppProfileImportController.
 
Remark: Progress has fixed other vulnerabilities detailed in their advisory. These are: CVE-2024-5009, CVE-2024-5010, CVE-2024-5011, CVE-2024-5012, CVE-2024- 5013, CVE-2024-5014, CVE-2024-5015, CVE-2024-5016, CVE-2024-5017, CVE-2024-5018, CVE- 2024-5019.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion. In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.