WARNING: PROGESS PATCHED 2 CRITICAL AND 1 HIGH SEVERITY SQL INJECTION VULNERABILITIES IN WHATSUP GOLD! PATCH IMMEDIATELY!
CVE-2024-6670: CVSS: 9.8
CVE-2024-6671: CVSS: 9.8
CVE-2024-6672: CVSS: 8.8
Note: At the time of writing the CVE was reserved but not yet published
Sources
https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin- August-2024
Risks
Progress released version 2024.0.0 of their "WhatsUp Gold" software. "WhatsUp Gold" is software that monitors the status and performance of applications, network devices, and servers in the cloud or on- premises. "WhatsUp Gold" is a valuable target appliance for attackers due to its broad interconnectivity.
In the latest version of "WhatsUp Gold", Progress patched 3 SQL injection vulnerabilities. CVE-2024- 6670 & CVE-2024-6671 allow an unauthenticated, remote attacker to retrieve a user's encrypted password. CVE-2024-6672 allows a low-privileged attacker to change another user's password.
Update 02/09: A proof-of-concept (PoC) was made available for CVE-2024-6670, increasing the risk of exploitation. In this exploit, an attacker does not only get the encrypted password, but is also able to completely bypass authentication whatsoever.
Update 12/09: Security researchers have identified remote code execution attacks on WhatsUp Gold. The attacks have abused Active Monitor PowerShell Script, one of the legitimate functions of the product.
Successful exploitation of CVE-2024-6670, CVE-2024-6671, and CVE-2024-6672 allows an attacker to gain full access to the "WhatsUp Gold" appliance, resulting in a high impact on confidentiality, integrity and availability.
Description
CVE-2024-6670 (CVSS: 9.8)
In "WhatsUp Gold" versions released before 2024.0.0, if the application is configured with only one user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve that specific user's encrypted password.
Update 02/09: In a proof-of-concept, this vulnerability has been exploited to bypass authentication without any prior credentials.
CVE-2024-6671 (CVSS: 9.8)
In "WhatsUp Gold" versions released before 2024.0.0, if the application is configured with only one user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the user's encrypted password.
CVE-2024-6672 (CVSS: 8.8)
In "WhatsUp Gold" versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing. Upgrading to "WhatsUp Gold" to version 2024.0.0
Monitor/Detect
The CCB recommends that organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Progress: https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024
Trendmicro: https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-rce.html