Threat Research

“Enhance Network Security: Mitigating CVE-2024-5008 Vulnerability in Progress WhatsUp Gold”

CTI

The SonicWall Capture Labs threat research team identified an arbitrary file upload vulnerability (CVE-2024-5008) in Progress WhatsUp Gold that allows an authenticated user with Application Monitoring privileges to upload malicious files, potentially leading to remote code execution. Users are urged to upgrade to the latest version and SonicWall has released IPS signature 4482 to help protect against it. #WhatsUpGold #CVE-2024-5008 #SonicWall #SunCyberSecurity #L3ng0c4nh #minhtuanact

Keypoints

  • CVE-2024-5008 is an arbitrary file upload vulnerability in Progress WhatsUp Gold versions prior to 2023.1.3.
  • The flaw requires an authenticated user with Application Monitoring (APM) privileges to upload arbitrary files.
  • The vulnerability carries a high CVSS score of 8.8, indicating significant risk.
  • Successful exploitation can lead to remote code execution without user interaction.
  • Exploitation requires network access and appropriate privileges to exploit the vulnerability.
  • A fix is available in newer WhatsUp Gold versions, and upgrading is strongly advised.
  • SonicWall has published IPS signature 4482 to detect and protect against this vulnerability.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – The vulnerability allows execution of arbitrary code via uploaded files. ‘Exploitation of the vulnerability yields the remote threat actor the ability to execute arbitrary code on the server.’
  • [T1068] Privilege Escalation – Authenticated users with APM privileges can exploit the vulnerability to gain higher access. ‘Authenticated users with APM privileges can exploit the vulnerability to gain higher access.’
  • [T1078] Valid Accounts – Attackers require valid credentials to exploit the vulnerability. ‘Attackers require valid credentials to exploit the vulnerability.’

Indicators of Compromise

  • [URL/Domain] – Exploit delivery URL and target path: http(s)://vuln-whatsup.com/NmConsole/Content/Apm/Import/poc.aspx
  • [File name] – Malicious payload filename: poc.aspx
  • [File path] – Generated file path during exploitation: C:POCpoc
  • [File extension] – Malicious extension used in payload: .aspx

Read more: https://blog.sonicwall.com/en-us/2024/08/protect-your-network-mitigating-the-latest-vulnerability-cve-2024-5008-in-progress-whatsup-gold/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint