www.belgium.be Logo of the federal government

WARNING: PROGESS PATCHED 2 CRITICAL AND 1 HIGH SEVERITY SQL INJECTION VULNERABILITIES IN WHATSUP GOLD! PATCH IMMEDIATELY!

Reference: 
Advisory #2024-210
Version: 
1.2
Affected software: 
Progress WhatsUp Gold < 2024.0.0
Type: 
SQL Injection
CVE/CVSS: 

CVE-2024-6670: CVSS: 9.8
CVE-2024-6671: CVSS: 9.8
CVE-2024-6672: CVSS: 8.8

Note: At the time of writing the CVE was reserved but not yet published

Sources

https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin- August-2024

Risks

Progress released version 2024.0.0 of their "WhatsUp Gold" software. "WhatsUp Gold" is software that monitors the status and performance of applications, network devices, and servers in the cloud or on- premises. "WhatsUp Gold" is a valuable target appliance for attackers due to its broad interconnectivity.

In the latest version of "WhatsUp Gold", Progress patched 3 SQL injection vulnerabilities. CVE-2024- 6670 & CVE-2024-6671 allow an unauthenticated, remote attacker to retrieve a user's encrypted password. CVE-2024-6672 allows a low-privileged attacker to change another user's password.

Update 02/09: A proof-of-concept (PoC) was made available for CVE-2024-6670, increasing the risk of exploitation. In this exploit, an attacker does not only get the encrypted password, but is also able to completely bypass authentication whatsoever.

Update 12/09: Security researchers have identified remote code execution attacks on WhatsUp Gold. The attacks have abused Active Monitor PowerShell Script, one of the legitimate functions of the product.

Successful exploitation of CVE-2024-6670, CVE-2024-6671, and CVE-2024-6672 allows an attacker to gain full access to the "WhatsUp Gold" appliance, resulting in a high impact on confidentiality, integrity and availability.

Description

CVE-2024-6670 (CVSS: 9.8)

In "WhatsUp Gold" versions released before 2024.0.0, if the application is configured with only one user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve that specific user's encrypted password.

Update 02/09: In a proof-of-concept, this vulnerability has been exploited to bypass authentication without any prior credentials.

CVE-2024-6671 (CVSS: 9.8)

In "WhatsUp Gold" versions released before 2024.0.0, if the application is configured with only one user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the user's encrypted password.

CVE-2024-6672 (CVSS: 8.8)

In "WhatsUp Gold" versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing. Upgrading to "WhatsUp Gold" to version 2024.0.0

Monitor/Detect

The CCB recommends that organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Progress: https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024

Trendmicro: https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-rce.html