Advisory: Multiple Vulnerabilities in Progress Ipswitch WhatsUp Gold

Summary

The following vulnerabilities were discovered in Progress Ipswitch WhatsUp Gold:

CVE-2022-29845: Local File Disclosure
CVE-2022-29846: WhatsUp Gold Serial Number Disclosure
CVE-2022-29847: Unauthenticated Server-Side Request Forgery (SSRF)
CVE-2022-29848: Authenticated Server-Side Request Forgery (SSRF)

The adivsory from Progress can be found here.

Impact

When combined, these vulnerabilities lead to a critical impact. An attacker can obtain the plain-text password of all users registered in WhatsUp Gold. Using these passwords, it is then possible to authenticate to WhatsUp gold and then perform further attacks (local file disclosure, authenticated SSRF).

Affected Software

As per the advisory from Progress, please see the table below for affected software versions:

Product Description

WhatsUp® Gold provides complete visibility to everything that’s connected to your network. The unique interactive map lets you see network devices, servers, virtual machines, cloud and wireless environments in context so you can diagnose issues with pinpoint accuracy.

Solution

The remediation details provided from Progress’s advisory are satisfactory and will ensure that this vulnerabilty cannot be exploited.

The knowledge base article detailing the patches or workaround to apply can be found here.

Blog Post

The blog post detailing the steps taken for the discovery of this vulnerability can be found here.

Credits

Assetnote Security Research Team

Timeline

The timeline for this disclosure process can be found below:

Apr 11th, 2022: Disclosure of multiple vulnerabilities to Progress’s security team
Apr 13th, 2022: Progress’s team asks us to submit via the HackerOne disclosure form. We refuse as it prevents disclosure of the issue.
Apr 14th, 2022: Progress’s team asks us to provide the product version and CVSS scores. We provide this information.
Apr 27th, 2022: Progress’s team asks us to get on a call to discuss updates and questions on findings. We agree to this call.
Apr 28th, 2022: A patched version of WhatsUp Gold is provided to confirm that the issues no longer exist.
May 10th, 2022: We ask for a serial key for the version provided. Progress’s team provide us with a key.
May 11th, 2022: We confirm that all the vulnerabilities reported have been fixed.

See Assetnote in action

Find out how Assetnote can help you lock down your external attack surface.

Use the lead form below, or alternatively contact us via email by clicking here.