CVE-2021-45913: Security Advisory - Hardcoded key

Vulnerability ID: CVE-2021-45913
Severity: High
Update Release Date: April 22, 2021
Fix version: Version >= 8.2.5 for both Hybrid Cloud and COP (On-Premises)

What was the problem?

The authentication process between ControlUp Real-Time Console/Monitor and ControlUp Real-Time Agents was based on hardcoded keys. This key could have been extracted from a ControlUp Real-Time Console/Monitor binary file and a potential attacker might use it to craft a fake ControlUp Real-Time Console/Monitor that would be able to successfully authenticate to ControlUp Real-Time Agents and run malicious actions (OS commands) with SYSTEM level privilege on a machine with the ControlUp Real-Time Agent installed.

Solution

We strongly urge you to do the following as soon as possible:

• Upgrade to the latest version of ControlUp (8.5.1 for Hybrid Cloud/8.5 for On-Premises).
• Deploy the latest ControlUp Real-Time Agent to all endpoints.

It is important to update/uninstall all ControlUp Real-Time Agents even if they are no longer in use. ControlUp Real-Time Agents of versions lower than 8.5 can put your organization at risk even if there is no ControlUp Console/Monitor connected to them. You can watch this 2-minute video to learn how to easily find machines with older ControlUp Real-Time Agent versions.

Upgrade Guides:
Upgrade Guide for Hybrid Cloud 8.x to 8.5
On-Premises Upgrade Guide 8.x to 8.5
Please read more about the new features and security enhancements in our Security Best Practices Guide.

We use cookies to ensure that we give you the best experience on our website. by continuing to use this site you agree to our Cookie policy. Got it