www.belgium.be Logo of the federal government

WARNING: PROGESS PATCHED 3 CRITICAL AND 1 HIGH SEVERITY SQL INJECTION VULNERABILITIES IN WHATSUP GOLD! PATCH IMMEDIATELY!

Reference: 
Advisory #2024-210
Version: 
1.3
Affected software: 
Progress WhatsUp Gold < 2024.0.0
Type: 
SQL Injection
CVE/CVSS: 

CVE-2024-6670: CVSS: 9.8
CVE-2024-6671: CVSS: 9.8
CVE-2024-6672: CVSS: 8.8
CVE-2024-7763: CVSS: 9.8 (Updated on 2024-10-28)

Sources

Progress: https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin- August-2024

Risks

Progress released version 2024.0.0 of their "WhatsUp Gold" software. "WhatsUp Gold" is software that monitors the status and performance of applications, network devices, and servers in the cloud or on- premises. "WhatsUp Gold" is a valuable target appliance for attackers due to its broad interconnectivity.

In the latest version of "WhatsUp Gold", Progress patched 3 SQL injection vulnerabilities. CVE-2024- 6670 & CVE-2024-6671 allow an unauthenticated, remote attacker to retrieve a user's encrypted password. CVE-2024-6672 allows a low-privileged attacker to change another user's password.

Update 02/09: A proof-of-concept (PoC) was made available for CVE-2024-6670, increasing the risk of exploitation. In this exploit, an attacker does not only get the encrypted password, but is also able to completely bypass authentication whatsoever.

Update 12/09: Security researchers have identified remote code execution attacks on WhatsUp Gold. The attacks have abused Active Monitor PowerShell Script, one of the legitimate functions of the product.

Update 28/10: On 24/10/2024, CVE-2024-7763 was added to Progress’ August advisory. This is an authentication bypass vulnerability, which allows attackers to obtain encrypted user credentials.

Successful exploitation of these vulnerabilities could allow an attacker to gain full access to the "WhatsUp Gold" appliance, resulting in a high impact on confidentiality, integrity, and availability.

Description

CVE-2024-6670 (CVSS: 9.8)

In "WhatsUp Gold" versions released before 2024.0.0, if the application is configured with only one user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve that specific user's encrypted password.

Update 02/09: In a proof-of-concept, this vulnerability has been exploited to bypass authentication without any prior credentials.

CVE-2024-6671 (CVSS: 9.8)

In "WhatsUp Gold" versions released before 2024.0.0, if the application is configured with only one user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the user's encrypted password.

CVE-2024-6672 (CVSS: 8.8)

In "WhatsUp Gold" versions released before 2024.0.0, a SQL Injection vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password.

Update on 2024-10-28:

CVE-2024-7763 (CVSS: 9.8)

In “WhatsUp Gold” versions released before 2024.0.0, an improper validation of user credentials can lead to potential exploitation.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Update “WhatsUp Gold” to version 2024.0.0.

Monitor/Detect

The CCB recommends that organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Trendmicro: https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-rce.html