Explore expert insights, tips, and best practices to optimize your IT operations
Tap into a wealth of knowledge from your peers, industry experts, and the ControlUp team, deepening your understanding of ControlUp products and solutions.
ControlUp helps IT teams address common digital workplace experience challenges, no matter their use cases or existing technologies.
ControlUp offers a rich set of capabilities to improve the digital experience for employees using any desktop, any application, anywhere.
Explore expert insights, tips, and best practices to optimize your IT operations
Tap into a wealth of knowledge from your peers, industry experts, and the ControlUp team, deepening your understanding of ControlUp products and solutions.
A global organization of technology professionals transforming the desktop monitoring marketplace.
Severity: High
Update Release Date: June 29, 2021
Fix version: Version >= 8.5.0 for both Hybrid Cloud and COP (On-Premises)
What was the problem?
A Named Pipe interface within ControlUp Real-Time Agent’s process provided the ability to run actions (OS commands) without authentication. This vulnerability can be exploited locally only.
Solution
We strongly urge you to do the following as soon as possible:
- Upgrade to the latest version of ControlUp (8.5.1 for Hybrid Cloud/8.5 for On-Premises).
- Deploy the latest ControlUp Real-Time Agent to all endpoints.
It is important to update/uninstall all ControlUp Real-Time Agents even if they are no longer in use. ControlUp Real-Time Agents of versions lower than 8.5 can put your organization at risk even if there is no ControlUp Console/Monitor connected to them. You can watch this 2-minute video to learn how to easily find machines with older ControlUp Real-Time Agent versions.
Upgrade Guides:
Upgrade Guide for Hybrid Cloud 8.x to 8.5
On-Premises Upgrade Guide 8.x to 8.5
Please read more about the new features and security enhancements in our Security Best Practices Guide.
Credits – James Burton and Michael N. Henry, Facebook Red Team.