CVE-2022-29847 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2022-29847?

CVE-2022-29847 has a CVSS score of 7.5 (HIGH). This vulnerability allows unauthenticated attackers to invoke an API transaction that relays encrypted WhatsUp Gold user credentials to arbitrary hosts. It affects Progress Ipswitch WhatsUp Gold versions 21.0.0 through 21.1.1 and 22.0.0, potentially exposing sensitive authentication data.

📋 TL;DR

This vulnerability allows unauthenticated attackers to invoke an API transaction that relays encrypted WhatsUp Gold user credentials to arbitrary hosts. It affects Progress Ipswitch WhatsUp Gold versions 21.0.0 through 21.1.1 and 22.0.0, potentially exposing sensitive authentication data.

💻 Affected Systems

Products:

Progress Ipswitch WhatsUp Gold

Versions: 21.0.0 through 21.1.1, and 22.0.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Whatsup Gold by Progress

View all CVEs affecting Whatsup Gold →

Whatsup Gold by Progress

View all CVEs affecting Whatsup Gold →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could capture encrypted credentials, potentially decrypt them, and gain unauthorized access to WhatsUp Gold systems, leading to network monitoring compromise and lateral movement.

🟠

Likely Case

Attackers intercept encrypted credentials, which may be decrypted depending on encryption strength, leading to unauthorized access and potential privilege escalation.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to credential exposure without successful decryption or system access.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation makes internet-facing instances particularly vulnerable to credential harvesting attacks.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to insider threats or compromised internal systems, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and involves simple API calls, making exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 21.1.2 and 22.0.1

Vendor Advisory: https://community.progress.com/s/article/WhatsUp-Gold-Critical-Product-Alert-May-2022

Restart Required: Yes

Instructions:

1. Download the patch from Progress support portal. 2. Backup current installation. 3. Apply the patch following vendor instructions. 4. Restart WhatsUp Gold services.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to WhatsUp Gold API endpoints to trusted IP addresses only.

Use firewall rules to limit access to TCP ports used by WhatsUp Gold (typically 80/443 and management ports)

API Endpoint Disablement

windows

Disable vulnerable API endpoints if not required for functionality.

Consult vendor documentation for specific API endpoint configuration

🧯 If You Can't Patch

Implement strict network segmentation to isolate WhatsUp Gold from untrusted networks
Monitor for unusual API calls and credential relay attempts in network traffic

🔍 How to Verify

Check if Vulnerable:

Check WhatsUp Gold version via web interface (Help > About) or installation directory properties.

Check Version:

Check web interface at https://[hostname]:[port]/NMS/Help/About or examine installation directory properties.

Verify Fix Applied:

Verify version is 21.1.2 or higher for v21.x, or 22.0.1 or higher for v22.x. Test API endpoints are no longer accessible without authentication.

📡 Detection & Monitoring

Log Indicators:

Unusual API calls from unauthenticated sources
Credential-related API transactions to external hosts
Failed authentication attempts following API calls

Network Indicators:

Outbound connections from WhatsUp Gold to unexpected external IPs
Unusual API traffic patterns
Credential data in network traffic

SIEM Query:

source="WhatsUpGold" AND (event_type="api_call" AND user="anonymous") OR (destination_ip NOT IN trusted_networks AND protocol="http" AND uri_contains="credential")

📊 Metadata

CVE ID: CVE-2022-29847

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-918

Published: May 11, 2022

Last Updated: November 21, 2024

🔗 References

https://community.progress.com/s/article/WhatsUp-Gold-Critical-Product-Alert-May-2022 Vendor Advisory
https://www.progress.com/network-monitoring Product
https://community.progress.com/s/article/WhatsUp-Gold-Critical-Product-Alert-May-2022 Vendor Advisory
https://www.progress.com/network-monitoring Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29847, you might also want to check these: