Talos Vulnerability Report

TALOS-2024-1934

Progress Software Corporation WhatsUp Gold TestController Chart denial of service vulnerability

June 26, 2024
CVE Number

CVE-2024-5011

SUMMARY

An uncontrolled resource consumption vulnerability exists in the TestController Chart functionality of Progress Software Corporation WhatsUp Gold 23.1.0 Build 1697. A specially crafted HTTP request can lead to denial of service. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Progress Software Corporation WhatsUp Gold 23.1.0 Build 1697

PRODUCT URLS

WhatsUp Gold - https://www.whatsupgold.com/

CVSSv3 SCORE

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

DETAILS

WhatsUp Gold is a network monitoring and management software developed by Progress. WhatsUp Gold is designed to provide visibility into IT infrastructure, allowing organizations to monitor the performance and health of networks, devices, servers, applications, and other critical components. It offers features such as network mapping, performance monitoring, alerting, and reporting to help IT professionals ensure the optimal functioning of their network infrastructure.

There is TestController endpoint exposing certain actions to unauthenticated users. One of the action available in TestController is Chart creation function. Vulnerable code looks in the following way:

Line 1 		public ActionResult Chart(int? pieces = 5, string type = "pie", bool area3d = false)
Line 2 		{
Line 3 			using MemoryStream memoryStream = new MemoryStream();
Line 4 			CreateChart(pieces ?? 5, type, area3d).SaveImage(memoryStream, ChartImageFormat.Png);
Line 5 			memoryStream.Seek(0L, SeekOrigin.Begin);
Line 6 			return (ActionResult)(object)((Controller)this).File(memoryStream.ToArray(), "image/png", "mychart.png");
Line 7 		}
Line 8 (...)
Line 9 
Line 10		private Chart CreateChart(int pieces, string type = "pie", bool area3d = false)
Line 11		{
Line 12			Chart chart = new Chart();
Line 13			chart.Width = 350;
Line 14			chart.Height = 300;
Line 15			chart.Attributes.Add("align", "left");
Line 16			chart.Titles.Add("Chart Example");
Line 17			chart.ChartAreas.Add(new ChartArea());
Line 18			chart.Series.Add(new Series());
Line 19			chart.Legends.Add(new Legend("Chart"));
Line 20			chart.Legends[0].TableStyle = LegendTableStyle.Auto;
Line 21			chart.Legends[0].Docking = Docking.Bottom;
Line 22			if (area3d)
Line 23			{
Line 24				chart.ChartAreas[0].Area3DStyle.Enable3D = true;
Line 25			}
Line 26			if (type == "pie")
Line 27			{
Line 28				chart.Series[0].ChartType = SeriesChartType.Pie;
Line 29				chart.Series[0]["PieDrawingStyle"] = "Concave";
Line 30			}
Line 31			else if (type == "bar")
Line 32			{
Line 33				chart.Series[0].ChartType = SeriesChartType.Bar;
Line 34			}
Line 35			for (int i = 0; i < pieces; i++)
Line 36			{
Line 37				string text = "Mem " + (i + 1);
Line 38				decimal num = randomNumber(1, 100);
Line 39				int num2 = i;
Line 40				int index = chart.Series[0].Points.AddXY(text, num);
Line 41				DataPoint dataPoint = chart.Series[0].Points[index];
Line 42				dataPoint.Url = "/Member/Detail/" + num2;
Line 43				dataPoint.ToolTip = text + ": #VALY";
Line 44				dataPoint.LegendText = "#VALX: #VALY";
Line 45				dataPoint.LegendUrl = "/Member/Detail/" + num2;
Line 46			}
Line 47			chart.Series[0].Legend = "Chart";
Line 48			return chart;
Line 49		}

An attacker has complete control over all arguments of the CreateChart function where the most crucial is pieces. This argument controls the number of executions in the for loop within lines 35-46. An attacker setting the pieces value to a high number, e.g., 100000, will result in significant CPU resource consumption for a considerable amount of time. Repeating such requests, an attacker with limited resources can completely block the functionality of the system.

Exploit Proof of Concept

curl -i "http://192.168.0.252/NmConsole/Wug/Test/Chart?pieces=1000&type=pie&area3d=false"
TIMELINE

2024-02-07 - Initial Vendor Contact
2024-02-12 - Vendor Disclosure
2024-06-25 - Vendor Patch Release
2024-06-26 - Public Release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.