“Enhance Network Security: Mitigating CVE-2024-5008 Vulnerability in Progress WhatsUp Gold”

“`html
Short Summary:

The SonicWall Capture Labs threat research team identified an arbitrary file upload vulnerability (CVE-2024-5008) in Progress WhatsUp Gold, which allows authenticated users with Application Monitoring privileges to upload malicious files, potentially leading to remote code execution. Users are advised to upgrade to the latest version to mitigate this risk.

Key Points:

  • Vulnerability identified as CVE-2024-5008 in WhatsUp Gold versions prior to 2023.1.3.
  • Allows authenticated users with Application Monitoring privileges to upload arbitrary files.
  • High CVSS score of 8.8 indicates significant risk.
  • Exploitation can lead to remote code execution without user interaction.
  • Attackers must have network access and appropriate privileges to exploit the vulnerability.
  • Users are encouraged to upgrade to the latest version to mitigate risks.
  • SonicWall has released IPS signature 4482 to protect against this vulnerability.

MITRE ATT&CK TTPs – created by AI

  • ExecutionT1203
    • Exploitation of the vulnerability allows execution of arbitrary code via uploaded files.
  • Privilege EscalationT1068
    • Authenticated users with APM privileges can exploit the vulnerability to gain higher access.
  • Initial AccessT1078
    • Attackers require valid credentials to exploit the vulnerability.

“`

Overview 

The SonicWall Capture Labs threat research team became aware of an arbitrary file upload vulnerability in Progress WhatsUp Gold, assessed its impact and developed mitigation measures. WhatsUp Gold is a software that monitors every connected device in the network, providing visibility into the IT infrastructure. It also has the functionality to swiftly pinpoint and resolve issues in the infrastructure by utilizing its intuitive workflows and system integrations. 

Identified as CVE-2024-5008, WhatsUp Gold versions prior to 2023.1.3 allow an authenticated threat actor with the Application Monitoring (APM) privilege to upload an arbitrary file, which can further lead to remote code execution, earning a high CVSS score of 8.8. This vulnerability was originally discovered by Le Ngoc Anh (@L3ng0c4nh) and Nguy Minh Tuan (@minhtuanact) of the Sun* Cyber Security Research Team. WhatsUp Gold users are encouraged to upgrade their instances to the latest fixed version, as mentioned by the vendor in the advisory. 

Technical Overview 

This vulnerability arises due to a flaw in the input validation mechanism in the function that handles importing the application profile definition file. WhatsUp Gold allows an authenticated user with Application Monitoring (APM) privilege to import an XML file that defines the application profile to be monitored. The file contains information such as which port is to be monitored and the frequency of polling. This function is accessible at Settings > Application monitoring > Application and profile setup > Application Profiles > Import, as seen in Figure 1. 

Figure 1: Window to import application profile definition 

The diff of AppProfileImportController.cs from Apm.UI.dll between vulnerable and patched versions reveals that the function has been improved to allow the import of definition files with .xml extension only, as seen in Figure 2. It indicates that the previous version should have allowed files with dangerous extensions such as .aspx to be imported, which can further lead to remote code execution. 

Figure 2: Diff of affected function 

Triggering the Vulnerability 

Leveraging the vulnerability mentioned above requires the attacker to meet the below prerequisites. 

  • The attacker must have network access to the target vulnerable system
  • The attacker must have the privilege of APM functionality
  • The crafted application profile definition file containing malicious ASP code must be imported with the forged .aspx extension
  • The uploaded file must be requested from the browser to execute the specified code in the previous step

Exploitation 

The exploitation of this vulnerability yields the remote threat actor the ability to execute arbitrary code on the server. It has a high impact on the confidentiality, integrity and availability of the system and does not require user interaction. 

To achieve remote code execution, a malformed application profile definition file containing an ASP.Net payload needs to be uploaded. It will generate a request, as seen in Figure 3. Notice the changed extension of the file to .aspx, which allows the injected C# code to be executed. This process will create a file named poc.aspx in the directory NM.UIContentApmImport. 

Figure 3: Arbitrary File Creation 

Thereafter, the request to URL http(s)://vuln-whatsup.com/NmConsole/Content/Apm/Import/poc.aspx needs to be made to execute the payload, as seen in the top portion of Figure 4. This request will generate a file ‘C:POCpoc’ in the affected system, as mentioned in the payload. It will contain the result of the specified command whoami, as seen in the bottom portion of Figure 4. 

Figure 4: Remote Code Execution 

SonicWall Protections 

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released: 

  • IPS: 4482 Progress WhatsUp Arbitrary File Upload 

Remediation Recommendations 

The WhatsUp Gold users are strongly encouraged to upgrade their instances to the latest version, as mentioned in the vendor advisory. 

Relevant Links 

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Source: Original Post