Skip to the content.

DIVD-2024-00041 - Progress Software WhatsUp Gold SQL Injection Authentication Bypass

Our reference DIVD-2024-00041
Case lead Finn van der Knaap
Researcher(s)
CVE(s)
Products
  • Progress Software WhatsUp
Versions
  • All versions released before 2024.0.0
Recommendation Update to a non-vulnerable version
Patch status Patch available
Workaround none
Status Open
Last modified 17 Oct 2024 21:02 CEST

Summary

WhatsUp Gold, software used for network monitoring and management, has disclosed a critical security vulnerability affecting versions released prior to 2024.0.0. This vulnerability, identified as CVE-2024-6670, involves a SQL Injection flaw that allows unauthenticated attackers to retrieve users’ encrypted passwords. Obtaining such passwords could lead to compromise of users’ accounts.

Recommendations

To remediate CVE-2024-6670, update to version 24.0.0 or later. You can find a link to the Progress bulletin at the bottom of this post. Additionally, consider making your WhatsUp Gold instance unavailable from the public internet.

What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of WhatsUp Gold and to notify these parties. We do this by looking at the version numbers if possible.

Timeline

Date Description
01 Oct 2024 DIVD starts researching the vulnerability.
09 Oct 2024 DIVD finds fingerprint, preparing to scan.
14 Oct 2024 Case opened.
16 Oct 2024 Starting first scan.
17 Oct 2024 Starting second scan.
17 Oct 2024 Mails sent out.
gantt title DIVD-2024-00041 - Progress Software WhatsUp Gold SQL Injection Authentication Bypass dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00041 - Progress Software WhatsUp Gold SQL Injection Authentication Bypass (still open) :2024-09-24, 2024-11-19 section Events DIVD starts researching the vulnerability. : milestone, 2024-10-01, 0d DIVD finds fingerprint, preparing to scan. : milestone, 2024-10-09, 0d Case opened. : milestone, 2024-10-14, 0d Starting first scan. : milestone, 2024-10-16, 0d Starting second scan. : milestone, 2024-10-17, 0d Mails sent out. : milestone, 2024-10-17, 0d

More information