“`html
Short Summary:
The SonicWall Capture Labs threat research team identified an arbitrary file upload vulnerability (CVE-2024-5008) in Progress WhatsUp Gold, which allows authenticated users with Application Monitoring privileges to upload malicious files, potentially leading to remote code execution. Users are advised to upgrade to the latest version to mitigate this risk.
Key Points:
- Vulnerability identified as CVE-2024-5008 in WhatsUp Gold versions prior to 2023.1.3.
- Allows authenticated users with Application Monitoring privileges to upload arbitrary files.
- High CVSS score of 8.8 indicates significant risk.
- Exploitation can lead to remote code execution without user interaction.
- Attackers must have network access and appropriate privileges to exploit the vulnerability.
- Users are encouraged to upgrade to the latest version to mitigate risks.
- SonicWall has released IPS signature 4482 to protect against this vulnerability.
MITRE ATT&CK TTPs – created by AI
- Execution – T1203
- Exploitation of the vulnerability allows execution of arbitrary code via uploaded files.
- Privilege Escalation – T1068
- Authenticated users with APM privileges can exploit the vulnerability to gain higher access.
- Initial Access – T1078
- Attackers require valid credentials to exploit the vulnerability.
“`
Overview
The SonicWall Capture Labs threat research team became aware of an arbitrary file upload vulnerability in Progress WhatsUp Gold, assessed its impact and developed mitigation measures. WhatsUp Gold is a software that monitors every connected device in the network, providing visibility into the IT infrastructure. It also has the functionality to swiftly pinpoint and resolve issues in the infrastructure by utilizing its intuitive workflows and system integrations.
Identified as CVE-2024-5008, WhatsUp Gold versions prior to 2023.1.3 allow an authenticated threat actor with the Application Monitoring (APM) privilege to upload an arbitrary file, which can further lead to remote code execution, earning a high CVSS score of 8.8. This vulnerability was originally discovered by Le Ngoc Anh (@L3ng0c4nh) and Nguy Minh Tuan (@minhtuanact) of the Sun* Cyber Security Research Team. WhatsUp Gold users are encouraged to upgrade their instances to the latest fixed version, as mentioned by the vendor in the advisory.
Technical Overview
This vulnerability arises due to a flaw in the input validation mechanism in the function that handles importing the application profile definition file. WhatsUp Gold allows an authenticated user with Application Monitoring (APM) privilege to import an XML file that defines the application profile to be monitored. The file contains information such as which port is to be monitored and the frequency of polling. This function is accessible at Settings > Application monitoring > Application and profile setup > Application Profiles > Import, as seen in Figure 1.
Figure 1: Window to import application profile definition
The diff of AppProfileImportController.cs from Apm.UI.dll between vulnerable and patched versions reveals that the function has been improved to allow the import of definition files with .xml extension only, as seen in Figure 2. It indicates that the previous version should have allowed files with dangerous extensions such as .aspx to be imported, which can further lead to remote code execution.
Figure 2: Diff of affected function
Triggering the Vulnerability
Leveraging the vulnerability mentioned above requires the attacker to meet the below prerequisites.
- The attacker must have network access to the target vulnerable system
- The attacker must have the privilege of APM functionality
- The crafted application profile definition file containing malicious ASP code must be imported with the forged .aspx extension
- The uploaded file must be requested from the browser to execute the specified code in the previous step
Exploitation
The exploitation of this vulnerability yields the remote threat actor the ability to execute arbitrary code on the server. It has a high impact on the confidentiality, integrity and availability of the system and does not require user interaction.
To achieve remote code execution, a malformed application profile definition file containing an ASP.Net payload needs to be uploaded. It will generate a request, as seen in Figure 3. Notice the changed extension of the file to .aspx, which allows the injected C# code to be executed. This process will create a file named poc.aspx in the directory NM.UIContentApmImport.
Figure 3: Arbitrary File Creation
Thereafter, the request to URL http(s)://vuln-whatsup.com/NmConsole/Content/Apm/Import/poc.aspx needs to be made to execute the payload, as seen in the top portion of Figure 4. This request will generate a file ‘C:POCpoc’ in the affected system, as mentioned in the payload. It will contain the result of the specified command whoami, as seen in the bottom portion of Figure 4.
Figure 4: Remote Code Execution
SonicWall Protections
To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:
- IPS: 4482 Progress WhatsUp Arbitrary File Upload
Remediation Recommendations
The WhatsUp Gold users are strongly encouraged to upgrade their instances to the latest version, as mentioned in the vendor advisory.
Relevant Links
Source: Original Post