CVE-2024-6670
📋 TL;DR
An unauthenticated SQL injection vulnerability in WhatsUp Gold allows attackers to retrieve encrypted user passwords. This affects all WhatsUp Gold versions before 2024.0.0. Organizations using vulnerable versions are at risk of credential compromise.
💻 Affected Systems
- Progress WhatsUp Gold
📦 What is this software?
Whatsup Gold by Progress
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access, pivot to other systems, and potentially achieve full network compromise through credential reuse or decryption.
Likely Case
Attackers retrieve encrypted passwords, attempt offline cracking, and gain unauthorized access to the WhatsUp Gold system and connected network resources.
If Mitigated
With proper network segmentation and monitoring, impact is limited to the WhatsUp Gold system itself, though credential exposure remains a concern.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized, and CISA has added this to their Known Exploited Vulnerabilities catalog, indicating active exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.0.0 or later
Vendor Advisory: https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024
Restart Required: Yes
Instructions:
1. Download WhatsUp Gold 2024.0.0 or later from Progress support portal. 2. Backup current configuration and database. 3. Run the installer to upgrade. 4. Restart the WhatsUp Gold service and verify functionality.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to WhatsUp Gold to only trusted administrative networks
Web Application Firewall
allDeploy a WAF with SQL injection protection rules in front of WhatsUp Gold
🧯 If You Can't Patch
- Isolate WhatsUp Gold system on a dedicated VLAN with strict firewall rules allowing only necessary administrative access
- Implement additional authentication layer (VPN, reverse proxy with MFA) for accessing WhatsUp Gold interface
🔍 How to Verify
Check if Vulnerable:
Check WhatsUp Gold version via web interface (Help > About) or installation directory propertiesCheck Version:
Check 'About' in web interface or examine installed programs in Windows Control PanelVerify Fix Applied:
Confirm version is 2024.0.0 or later and test that SQL injection attempts are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in database logs
- Multiple failed login attempts followed by successful access
- Requests with SQL syntax in URL parameters
Network Indicators:
- Unusual outbound connections from WhatsUp Gold server
- Traffic patterns suggesting database enumeration
SIEM Query:
source="whatsup_gold" AND (url="*SELECT*" OR url="*UNION*" OR url="*FROM*users*")