When combined, these vulnerabilities lead to a critical impact. An attacker can obtain the plain-text password of all users registered in WhatsUp Gold. Using these passwords, it is then possible to authenticate to WhatsUp gold and then perform further attacks (local file disclosure, authenticated SSRF).
As per the advisory from Progress, please see the table below for affected software versions:
WhatsUp® Gold provides complete visibility to everything that’s connected to your network. The unique interactive map lets you see network devices, servers, virtual machines, cloud and wireless environments in context so you can diagnose issues with pinpoint accuracy.
The remediation details provided from Progress’s advisory are satisfactory and will ensure that this vulnerabilty cannot be exploited.
The knowledge base article detailing the patches or workaround to apply can be found here.
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Assetnote Security Research Team
The timeline for this disclosure process can be found below:
Apr 11th, 2022: Disclosure of multiple vulnerabilities to Progress’s security team
Apr 13th, 2022: Progress’s team asks us to submit via the HackerOne disclosure form. We refuse as it prevents disclosure of the issue.
Apr 14th, 2022: Progress’s team asks us to provide the product version and CVSS scores. We provide this information.
Apr 27th, 2022: Progress’s team asks us to get on a call to discuss updates and questions on findings. We agree to this call.
Apr 28th, 2022: A patched version of WhatsUp Gold is provided to confirm that the issues no longer exist.
May 10th, 2022: We ask for a serial key for the version provided. Progress’s team provide us with a key.
May 11th, 2022: We confirm that all the vulnerabilities reported have been fixed.
Your subscription could not be saved. Please try again.