The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added vulnerabilities affecting the Microsoft Windows MSHTML Platform and Progress WhatsUp Gold network monitoring solution to its Known Exploited Vulnerabilities catalog (KEV) after proofs of concept (PoCs) emerged, and security researchers observed active exploits of the vulnerabilities.
We’ll examine the vulnerabilities, the following steps for affected products, and the best practices that all organizations should follow.
CVE-2024-6670 is a critical 9.8 severity SQL Injection vulnerability affecting versions of Progress WhatsUp Gold released before 2024.0.0.
The vulnerability in affected versions of the network monitoring software allows an unauthenticated attacker to retrieve the user’s encrypted password if the application is configured with only a single user.
Exploits began within hours after a Proof of Concept for the vulnerability was made available publicly on GitHub, even though a patch had been available for the vulnerability since mid-August, suggesting that some users were slow to update affected versions.
Trend Micro researchers detected remote code execution (RCE) attacks against WhatsUp Gold that exploited the Active Monitor PowerShell Script, leveraging CVE-2024-6670 and CVE-2024-6671, a companion vulnerability also rated 9.8.
Both vulnerabilities are patched starting with version 2024.0.0.
The Cyble ODIN scanner detected 381 internet-exposed Progress WhatsUp Gold instances, as shown in the figure below. Progress WhatsUp Gold is urged to upgrade as soon as possible and check for indicators of compromise in their environments.
CVE-2024-43461 is a high-severity (CVSS: 8.8) vulnerability in the Microsoft Windows MSHTML Internet Explorer browser engine platform containing a UI misrepresentation flaw that allows attackers to spoof web pages. This vulnerability was exploited in conjunction with CVE-2024-38112.
Microsoft has announced the retirement of Internet Explorer 11 and deprecated Microsoft Edge Legacy. However, MSHTML, EdgeHTML, and related scripting platforms remain supported. MSHTML is used in Internet Explorer mode in Microsoft Edge and other applications via WebBrowser control. WebView and some UWP apps utilize EdgeHTML. Updates for vulnerabilities in MSHTML and scripting platforms are included in IE Cumulative Updates, but EdgeHTML and Chakra updates are not.
CVE-2024-43461 was exploited in conjunction with CVE-2024-38112 before July 2024. A fix for CVE-2024-38112, released in July 2024, disrupted this attack chain. To ensure complete protection, customers should install both the July 2024 and September 2024 security updates.
Affected Windows products include:
The recent addition of these vulnerabilities to the CISA KEV database underscores their active exploitation. These vulnerabilities can lead to severe security breaches, including unauthorized access to sensitive information and effective spoofing of web pages. Owners of affected products are urged to update their systems with the latest patch released by the official vendor.
Cyble urges the following best practices: