Cyber Resilience

CVE-2024-5016

HighRCE

Published: 25 June 2024

Published
25 June 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0619 91.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-5016 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Progress Whatsup Gold. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-5016 is a deserialization vulnerability (CWE-502) affecting WhatsUp Gold installations prior to version 2023.1.3 in the Distributed Edition. The flaw resides in the primary message-handling routines NmDistributed.DistributedServiceBehavior.OnMessage on servers and NmDistributed.DistributedClient.OnMessage on clients, allowing an attacker-supplied serialized payload to trigger remote code execution with SYSTEM privileges.

An authenticated attacker with high privileges and network access can supply a crafted message to either the server or client component, resulting in arbitrary code execution as SYSTEM on the affected host. The CVSS 7.2 score reflects the need for high privileges but otherwise low attack complexity over the network without user interaction.

The Progress security bulletin for June 2024 directs administrators to upgrade Distributed Edition deployments to WhatsUp Gold 2023.1.3 or later to eliminate the vulnerable message-processing paths. The associated EPSS score has remained flat at 0.0619 with no material increase since disclosure.

EU & UK References

Vulnerability details

In WhatsUp Gold versions released before 2023.1.3, Distributed Edition installations can be exploited by using a deserialization tool to achieve a Remote Code Execution as SYSTEM. The vulnerability exists in the main message processing routines NmDistributed.DistributedServiceBehavior.OnMessage for server and NmDistributed.DistributedClient.OnMessage…

more

for clients.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

progress
whatsup gold
23.1.0 · ≤ 23.1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Validates or rejects untrusted serialized data before deserialization occurs.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

addresses: CWE-502

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

References