CVE-2021-45913: 
ControlUp Agent vulnerability analysis and mitigation

A hardcoded key vulnerability (CVE-2021-45913) was discovered in ControlUp Real-Time Agent (cuAgent.exe) before version 8.2.5. The vulnerability affects the authentication process between ControlUp Real-Time Console/Monitor and ControlUp Real-Time Agents. The issue was disclosed and patched on April 22, 2021 (Vendor Advisory).

The vulnerability stems from the use of hardcoded keys in the authentication process between ControlUp Real-Time Console/Monitor and ControlUp Real-Time Agents. The hardcoded key could be extracted from a ControlUp Real-Time Console/Monitor binary file. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) (NVD).

An attacker who extracts the hardcoded key could craft a fake ControlUp Real-Time Console/Monitor that would be able to successfully authenticate to ControlUp Real-Time Agents. This would allow the attacker to execute malicious operating system commands with SYSTEM level privileges on machines with vulnerable ControlUp Real-Time Agents installed (Vendor Advisory).

ControlUp strongly recommends upgrading to version 8.5.1 for Hybrid Cloud or 8.5 for On-Premises installations. All ControlUp Real-Time Agents should be updated or uninstalled, even if they are no longer in use, as agents with versions lower than 8.5 can put organizations at risk even without an active Console/Monitor connection (Vendor Advisory).