Join our live webinar on February 9th - End Slow Logons Forever with ControlUp Register Now

Security Advisory – Hardcoded key

CVE-2021-45913: Security Advisory

This document addresses hardcoded key vulnerability (CVE-2021-45913) in Controlup Real-Time.

Vulnerability ID: CVE-2021-45913
Severity: High
Update Release Date: April 22, 2021
Fix version: Version >= 8.2.5 for both Hybrid Cloud and COP (On-Premises)

What was the problem?

The authentication process between ControlUp Real-Time Console/Monitor and ControlUp Real-Time Agents was based on hardcoded keys. This key could have been extracted from a ControlUp Real-Time Console/Monitor binary file and a potential attacker might use it to craft a fake ControlUp Real-Time Console/Monitor that would be able to successfully authenticate to ControlUp Real-Time Agents and run malicious actions (OS commands) with SYSTEM level privilege on a machine with the ControlUp Real-Time Agent installed.

Solution

We strongly urge you to do the following as soon as possible:

  • Upgrade to the latest version of ControlUp (8.5.1 for Hybrid Cloud/8.5 for On-Premises).
  • Deploy the latest ControlUp Real-Time Agent to all endpoints.

It is important to update/uninstall all ControlUp Real-Time Agents even if they are no longer in use. ControlUp Real-Time Agents of versions lower than 8.5 can put your organization at risk even if there is no ControlUp Console/Monitor connected to them. You can watch this 2-minute video to learn how to easily find machines with older ControlUp Real-Time Agent versions.

Upgrade Guides:
Upgrade Guide for Hybrid Cloud 8.x to 8.5
On-Premises Upgrade Guide 8.x to 8.5
Please read more about the new features and security enhancements in our Security Best Practices Guide.

Credits – Michael N. Henry and James Burton, Facebook Red Team.