CVE-2023-6595
📋 TL;DR
CVE-2023-6595 is an authentication bypass vulnerability in WhatsUp Gold network monitoring software. Unauthenticated attackers can access an API endpoint to enumerate credential information stored in the system. Organizations using WhatsUp Gold versions before 2023.1 are affected.
💻 Affected Systems
- Progress WhatsUp Gold
📦 What is this software?
Whatsup Gold by Progress
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal all stored credentials (SSH keys, SNMP community strings, database passwords) leading to complete network compromise and lateral movement.
Likely Case
Attackers would harvest credentials for network devices and systems monitored by WhatsUp Gold, enabling unauthorized access to infrastructure.
If Mitigated
With proper network segmentation and access controls, impact would be limited to the WhatsUp Gold system itself.
🎯 Exploit Status
Simple HTTP request to the vulnerable API endpoint; no special tools or skills required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2023.1 and later
Vendor Advisory: https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-December-2023
Restart Required: Yes
Instructions:
1. Download WhatsUp Gold 2023.1 or later from Progress support portal. 2. Backup current configuration and database. 3. Run installer to upgrade. 4. Restart WhatsUp Gold services.
🔧 Temporary Workarounds
Network Access Control
allRestrict network access to WhatsUp Gold management interface to trusted IPs only.
Use firewall rules to allow only specific source IPs to TCP ports 80/443 on WhatsUp Gold server
API Endpoint Blocking
allBlock access to the specific vulnerable API endpoint using web application firewall or reverse proxy.
Add rule to block requests to /api/v1/credentials/* or similar credential enumeration endpoints
🧯 If You Can't Patch
- Isolate WhatsUp Gold server in separate VLAN with strict access controls
- Monitor for unusual API access patterns and credential enumeration attempts
🔍 How to Verify
Check if Vulnerable:
Check WhatsUp Gold version in web interface (Help > About) or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\WhatsUp Gold\VersionCheck Version:
reg query "HKLM\SOFTWARE\WOW6432Node\Ipswitch\WhatsUp Gold" /v VersionVerify Fix Applied:
Verify version is 2023.1 or higher and test that unauthenticated API requests to credential endpoints return authentication errors.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated API requests to credential-related endpoints
- Multiple failed authentication attempts followed by successful credential enumeration
Network Indicators:
- Unusual HTTP GET requests to /api/v1/credentials/* from untrusted sources
- Spike in API traffic from single source
SIEM Query:
source="whatsup_gold_logs" AND (uri_path="/api/v1/credentials/*" OR endpoint="credential") AND user="anonymous" OR auth_status="failed"