Protect Your Network: Mitigating the Latest Vulnerability (CVE 2024 5008) in Progress WhatsUp Gold

Overview

The SonicWall Capture Labs threat research team became aware of an arbitrary file upload vulnerability in Progress WhatsUp Gold, assessed its impact and developed mitigation measures. WhatsUp Gold is a software that monitors every connected device in the network, providing visibility into the IT infrastructure. It also has the functionality to swiftly pinpoint and resolve issues in the infrastructure by utilizing its intuitive workflows and system integrations.

Identified as CVE-2024-5008, WhatsUp Gold versions prior to 2023.1.3 allow an authenticated threat actor with the Application Monitoring (APM) privilege to upload an arbitrary file, which can further lead to remote code execution, earning a high CVSS score of 8.8. This vulnerability was originally discovered by Le Ngoc Anh (@L3ng0c4nh) and Nguy Minh Tuan (@minhtuanact) of the Sun* Cyber Security Research Team. WhatsUp Gold users are encouraged to upgrade their instances to the latest fixed version, as mentioned by the vendor in the advisory.

Technical Overview

This vulnerability arises due to a flaw in the input validation mechanism in the function that handles importing the application profile definition file. WhatsUp Gold allows an authenticated user with Application Monitoring (APM) privilege to import an XML file that defines the application profile to be monitored. The file contains information such as which port is to be monitored and the frequency of polling. This function is accessible at Settings > Application monitoring > Application and profile setup > Application Profiles > Import, as seen in Figure 1.

Figure 1: Window to import application profile definition

The diff of AppProfileImportController.csfrom Apm.UI.dllbetween vulnerable and patched versions reveals that the function has been improved to allow the import of definition files with .xml extension only, as seen in Figure 2. It indicates that the previous version should have allowed files with dangerous extensions such as .aspxto be imported, which can further lead to remote code execution.

Figure 2: Diff of affected function

Triggering the Vulnerability

Leveraging the vulnerability mentioned above requires the attacker to meet the below prerequisites.

• The attacker must have network access to the target vulnerable system

• The attacker must have the privilege of APM functionality

• The crafted application profile definition file containing malicious ASP code must be imported with the forged .aspxextension

• The uploaded file must be requested from the browser to execute the specified code in the previous step

Exploitation

The exploitation of this vulnerability yields the remote threat actor the ability to execute arbitrary code on the server. It has a high impact on the confidentiality, integrity and availability of the system and does not require user interaction.

To achieve remote code execution, a malformed application profile definition file containing an ASP.Net payload needs to be uploaded. It will generate a request, as seen in Figure 3. Notice the changed extension of the file to .aspx, which allows the injected C# code to be executed. This process will create a file named poc.aspxin the directory \NM.UI\Content\Apm\Import.

Figure 3: Arbitrary File Creation

Thereafter, the request to URL http(s)://vuln-whatsup.com/NmConsole/Content/Apm/Import/poc.aspx needs to be made to execute the payload, as seen in the top portion of Figure 4. This request will generate a file 'C:\POC\poc'in the affected system, as mentioned in the payload. It will contain the result of the specified command whoami, as seen in the bottom portion of Figure 4.

[Link]

Figure 4: Remote Code Execution

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

• IPS: 4482 Progress WhatsUp Arbitrary File Upload

Remediation Recommendations

The WhatsUp Gold users are strongly encouraged to upgrade their instances to the latest version, as mentioned in the vendor advisory.

Relevant Links

• Vendor advisory

• Announcement by ZDI