### #RegistryExploitation #RemoteCodeExecution #WhatsUpGoldFlaw
Summary: Tenable’s analysis reveals a critical vulnerability, CVE-2024-8785, in WhatsUp Gold that allows unauthenticated remote attackers to execute arbitrary code by exploiting a registry overwrite flaw. This vulnerability, rated 9.8 on the CVSS scale, poses significant risks to organizations using affected versions of the software.
Threat Actor: Unauthenticated Remote Attacker | unauthenticated remote attacker
Victim: Ipswitch | Ipswitch
Key Point :
- The vulnerability allows attackers to invoke the UpdateFailoverRegistryValues operation, modifying critical registry paths.
- Attackers can redirect the InstallDir path to their own network share, enabling malicious code execution upon service restart.
- Exploiting this flaw can lead to full system control without authentication, increasing the risk of broader network infiltration.
- Organizations are advised to upgrade to WhatsUp Gold version 24.0.1 to mitigate this critical risk.
Tenable’s latest vulnerability analysis has exposed a critical flaw, CVE-2024-8785, in WhatsUp Gold versions prior to 24.0.1. Rated with a CVSS score of 9.8, this vulnerability allows unauthenticated remote attackers to achieve remote code execution (RCE) by exploiting a registry overwrite flaw in NmAPI.exe.
NmAPI.exe, a Windows Communication Foundation (WCF) application, is at the core of this vulnerability. It implements the UpdateFailoverRegistryValues operation, which enables updates to specific registry values. However, Tenable’s report highlights a significant flaw: “An unauthenticated remote attacker can invoke the UpdateFailoverRegistryValues operation via a netTcpBinding at net.tcp://<target-host>:9643.”
This operation allows attackers to modify registry paths under HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeIpswitch, including the InstallDir path. By redirecting the path to a network share controlled by the attacker, such as <attacker-ip>shareWhatsUp, they can exploit the Ipswitch Service Control Manager service upon its restart.
When the Ipswitch Service Control Manager service restarts—commonly after a system reboot or update—it reads manifest files like WhatsUpPlatform-PluginManifest.xml from the attacker-controlled host. The attacker can manipulate these manifest files to inject malicious processes. For example, as Tenable describes, “The attacker can add a <ServerProcess> element in WhatsUpPlatform-PluginManifest.xml to start an attacker-controlled executable.”
By doing so, the attacker gains the ability to execute arbitrary code with system privileges, compromising the targeted system completely.
The implications of CVE-2024-8785 are severe:
- Attackers can achieve full system control without requiring authentication.
- Compromised systems may act as entry points for broader network infiltration.
- Organizations relying on affected versions of WhatsUp Gold face significant operational and security risks.
Progress has addressed this vulnerability in WhatsUp Gold version 24.0.1. Users are strongly urged to upgrade immediately to mitigate the risk.