DIVD-2024-00041 - Progress Software WhatsUp Gold SQL Injection Authentication Bypass
| Our reference | DIVD-2024-00041 |
| Case lead | Finn van der Knaap |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Update to a non-vulnerable version |
| Patch status | Patch available |
| Workaround | none |
| Status | Open |
| Last modified | 17 Oct 2024 21:02 CEST |
Summary
WhatsUp Gold, software used for network monitoring and management, has disclosed a critical security vulnerability affecting versions released prior to 2024.0.0. This vulnerability, identified as CVE-2024-6670, involves a SQL Injection flaw that allows unauthenticated attackers to retrieve users’ encrypted passwords. Obtaining such passwords could lead to compromise of users’ accounts.
Recommendations
To remediate CVE-2024-6670, update to version 24.0.0 or later. You can find a link to the Progress bulletin at the bottom of this post. Additionally, consider making your WhatsUp Gold instance unavailable from the public internet.
What we are doing
DIVD is currently working to identify parties that are running a vulnerable version of WhatsUp Gold and to notify these parties. We do this by looking at the version numbers if possible.
Timeline
| Date | Description |
|---|---|
| 01 Oct 2024 | DIVD starts researching the vulnerability. |
| 09 Oct 2024 | DIVD finds fingerprint, preparing to scan. |
| 14 Oct 2024 | Case opened. |
| 16 Oct 2024 | Starting first scan. |
| 17 Oct 2024 | Starting second scan. |
| 17 Oct 2024 | Mails sent out. |
More information
- CVE-2024-6670
- National Vulnerability Database for CVE-2024-6670
- WhatsUp Gold Security Bulletin
- Summoning Team Analysis