Advisory: Multiple Vulnerabilities in Progress Ipswitch WhatsUp Gold
Summary
The following vulnerabilities were discovered in Progress Ipswitch WhatsUp Gold:
- CVE-2022-29845: Local File Disclosure
- CVE-2022-29846: WhatsUp Gold Serial Number Disclosure
- CVE-2022-29847: Unauthenticated Server-Side Request Forgery (SSRF)
- CVE-2022-29848: Authenticated Server-Side Request Forgery (SSRF)
The adivsory from Progress can be found here.
Impact
When combined, these vulnerabilities lead to a critical impact. An attacker can obtain the plain-text password of all users registered in WhatsUp Gold. Using these passwords, it is then possible to authenticate to WhatsUp gold and then perform further attacks (local file disclosure, authenticated SSRF).
Affected Software
As per the advisory from Progress, please see the table below for affected software versions:
Product Description
WhatsUp® Gold provides complete visibility to everything that’s connected to your network. The unique interactive map lets you see network devices, servers, virtual machines, cloud and wireless environments in context so you can diagnose issues with pinpoint accuracy.
Solution
The remediation details provided from Progress’s advisory are satisfactory and will ensure that this vulnerabilty cannot be exploited.
The knowledge base article detailing the patches or workaround to apply can be found here.
Blog Post
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Credits
Assetnote Security Research Team
Timeline
The timeline for this disclosure process can be found below:
- Apr 11th, 2022: Disclosure of multiple vulnerabilities to Progress’s security team
- Apr 13th, 2022: Progress’s team asks us to submit via the HackerOne disclosure form. We refuse as it prevents disclosure of the issue.
- Apr 14th, 2022: Progress’s team asks us to provide the product version and CVSS scores. We provide this information.
- Apr 27th, 2022: Progress’s team asks us to get on a call to discuss updates and questions on findings. We agree to this call.
- Apr 28th, 2022: A patched version of WhatsUp Gold is provided to confirm that the issues no longer exist.
- May 10th, 2022: We ask for a serial key for the version provided. Progress’s team provide us with a key.
- May 11th, 2022: We confirm that all the vulnerabilities reported have been fixed.
Ready to get started?
Get on a call with our team and learn how Assetnote can change the way you secure your attack surface. We'll set you up with a trial instance so you can see the impact for yourself.