Vulnerability Brief: Progress WhatsUp Gold
ConnectWise
A platform of software & services built for TSPs. Follow us for product updates, company news, business advice and more.
On Monday, June 8, 2024, the ConnectWise Cyber Research Unit™ (CRU) was made aware of multiple vulnerabilities affecting Progress Software WhatsUp Gold prior to version 2023.1.3 (23.1.3). Exploitation of the vulnerabilities would allow threat actors to execute arbitrary commands and compromise administrator accounts without prior authentication. The vulnerabilities are being tracked as CVE-2024-4883, CVE-2024-4885, and CVE-2024-5009.
WhatsUp Gold is network monitoring software that provides visibility and control over network infrastructure, services, and applications. It can discover and report on connected assets, monitor network devices, host systems and services, and generate alerts for issues. The software uses various detection techniques and a credential library for asset management.
Although the Summoning Team disclosed a Proof-of-Concept (PoC) exploit code and technical details regarding the vulnerability, the ConnectWise CRU has not observed any exploitation since the public release. However, given the simplicity and potential impact of these vulnerabilities, widespread exploitation is probable. We strongly recommend the immediate patching of all affected devices.
Patch and mitigation
Patch WhatsUp Gold software to version 2023.1.3.
Detections
Network-based
ConnectWise partners should verify network configurations to allow for IDS sensors to monitor all applicable network segments, enabling full coverage and visibility of potentially affected devices and possible active exploitation.
Active detections are deployed to continuously monitor for potential exploitation and subsequent post-exploitation activities.
[ConnectWise CRU] EXPLOIT Progress WhatsUp Gold Pre-Auth RCE (CVE-2024-4885) [ConnectWise CRU] EXPLOIT Progress WhatsUp Gold Pre-Auth RCE (CVE-2024-4883)[ConnectWise CRU] EXPLOIT Progress WhatsUp Gold Privilege Escalation (CVE-2024-5009)
Recommended by LinkedIn
Host-based
Partners with potentially affected devices should verify the ConnectWise SIEM™ log shipper is installed and configured with the latest Sysmon configuration to ensure comprehensive monitoring and threat detection.
Based on the recent disclosure and past vulnerabilities targeting WhatsUp Gold, the ConnectWise CRU has implemented hunting queries to monitor for suspicious child processes from “NmAPI.exe” that could indicate post-exploitation.
Furthermore, directories that may serve as hosts for webshells are being actively monitored.
“C:\Program Files (x86)\Ipswitch\WhatsUp\html\NmConsole\”
Reach out to support@connectwise.com for any assistance.
very interesting!