CVE-2024-5011
An uncontrolled resource consumption vulnerability exists in the TestController Chart functionality of Progress Software Corporation WhatsUp Gold 23.1.0 Build 1697. A specially crafted HTTP request can lead to denial of service. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Progress Software Corporation WhatsUp Gold 23.1.0 Build 1697
WhatsUp Gold - https://www.whatsupgold.com/
7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-400 - Uncontrolled Resource Consumption
WhatsUp Gold is a network monitoring and management software developed by Progress. WhatsUp Gold is designed to provide visibility into IT infrastructure, allowing organizations to monitor the performance and health of networks, devices, servers, applications, and other critical components. It offers features such as network mapping, performance monitoring, alerting, and reporting to help IT professionals ensure the optimal functioning of their network infrastructure.
There is TestController
endpoint exposing certain actions to unauthenticated users. One of the action available in TestController
is Chart
creation function.
Vulnerable code looks in the following way:
Line 1 public ActionResult Chart(int? pieces = 5, string type = "pie", bool area3d = false)
Line 2 {
Line 3 using MemoryStream memoryStream = new MemoryStream();
Line 4 CreateChart(pieces ?? 5, type, area3d).SaveImage(memoryStream, ChartImageFormat.Png);
Line 5 memoryStream.Seek(0L, SeekOrigin.Begin);
Line 6 return (ActionResult)(object)((Controller)this).File(memoryStream.ToArray(), "image/png", "mychart.png");
Line 7 }
Line 8 (...)
Line 9
Line 10 private Chart CreateChart(int pieces, string type = "pie", bool area3d = false)
Line 11 {
Line 12 Chart chart = new Chart();
Line 13 chart.Width = 350;
Line 14 chart.Height = 300;
Line 15 chart.Attributes.Add("align", "left");
Line 16 chart.Titles.Add("Chart Example");
Line 17 chart.ChartAreas.Add(new ChartArea());
Line 18 chart.Series.Add(new Series());
Line 19 chart.Legends.Add(new Legend("Chart"));
Line 20 chart.Legends[0].TableStyle = LegendTableStyle.Auto;
Line 21 chart.Legends[0].Docking = Docking.Bottom;
Line 22 if (area3d)
Line 23 {
Line 24 chart.ChartAreas[0].Area3DStyle.Enable3D = true;
Line 25 }
Line 26 if (type == "pie")
Line 27 {
Line 28 chart.Series[0].ChartType = SeriesChartType.Pie;
Line 29 chart.Series[0]["PieDrawingStyle"] = "Concave";
Line 30 }
Line 31 else if (type == "bar")
Line 32 {
Line 33 chart.Series[0].ChartType = SeriesChartType.Bar;
Line 34 }
Line 35 for (int i = 0; i < pieces; i++)
Line 36 {
Line 37 string text = "Mem " + (i + 1);
Line 38 decimal num = randomNumber(1, 100);
Line 39 int num2 = i;
Line 40 int index = chart.Series[0].Points.AddXY(text, num);
Line 41 DataPoint dataPoint = chart.Series[0].Points[index];
Line 42 dataPoint.Url = "/Member/Detail/" + num2;
Line 43 dataPoint.ToolTip = text + ": #VALY";
Line 44 dataPoint.LegendText = "#VALX: #VALY";
Line 45 dataPoint.LegendUrl = "/Member/Detail/" + num2;
Line 46 }
Line 47 chart.Series[0].Legend = "Chart";
Line 48 return chart;
Line 49 }
An attacker has complete control over all arguments of the CreateChart
function where the most crucial is pieces
.
This argument controls the number of executions in the for loop
within lines 35-46
. An attacker setting the pieces
value to a high number, e.g., 100000, will result in significant CPU resource consumption for a considerable amount of time.
Repeating such requests, an attacker with limited resources can completely block the functionality of the system.
curl -i "http://192.168.0.252/NmConsole/Wug/Test/Chart?pieces=1000&type=pie&area3d=false"
2024-02-07 - Initial Vendor Contact
2024-02-12 - Vendor Disclosure
2024-06-25 - Vendor Patch Release
2024-06-26 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.