Full Report
WhatsUp Gold gives a user visbility into applications, network devices and servers. To do this, it requires a lot of credentials, making it a good target for attackers. While tracing out some inputs, Sina noticed that user controlled input was being placed into a SQL query. Classic SQL injection vulnerability! Now what? Credential leakage? Command injection? From understanding the configuration of the DB, they noticed that command execution wasn't possible because of a secure database configuration. Additionally, the credentials for the admin-user were encrypted. Reverse engineering the application found that the encryption was fairly faulty. It was a combination of funny hardcoded keys or keys stored in another table. This made decryption inconsistent and unreliable, which was frustrating. The idea was to find a primitive from the application to either decrypt the password or encrypt a user controlled password to overwrite the existing one. While browsing around, they found some code that was using the same key and encrypting arbitrary user data. This gave us an encryption oracle. So, here's the full exploit chain: Use the encryption oracle to encrypt data for us that we will use as a password later. Use the SQL injection to retrieve the encrypted value. We don't know how its encrypted but we know the encrypted value! Use the SQL injection again to overwrite the admin password with the encrypted value. Login! Overall, a solid post! I enjoyed the reverse engineering breakdown and the creativity to turn this into an authentication bypass.
Analysis Summary
# Vulnerability: Pre-Authentication SQL Injection in Progress WhatsUp Gold
## CVE Details
- **CVE ID:** CVE-2024-6670
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-89 (Improper Neutralization of Special Elements used in an SQL Command)
## Affected Systems
- **Products:** Progress WhatsUp Gold
- **Versions:** All versions prior to 2023.1.3 (23.1.3)
- **Configurations:** Systems where the web interface (`NmConsole`) is reachable. The vulnerability is unauthenticated (pre-auth).
## Vulnerability Description
The vulnerability exists within the `HasErrors` method of the `PerformanceMonitorErrorsController`. User-controlled input provided to the `classId` parameter is concatenated directly into a SQL query string without proper sanitization or parameterization.
While the backend database configuration prevents direct OS command execution (e.g., via `xp_cmdshell`), the injection allows for arbitrary data manipulation and extraction. Attackers can leverage this to interact with database tables containing sensitive configuration and user credentials.
## Exploitation
- **Status:** PoC available; technically exploited (demonstrated by researchers).
- **Complexity:** Medium (Requires chain construction to bypass password encryption).
- **Attack Vector:** Network (Unauthenticated)
### Exploit Chain Details:
1. **Encryption Oracle:** The attacker identifies a legitimate application feature (`JMXSecurity` settings) that encrypts user-provided strings using the same hardcoded/internal keys used for admin passwords.
2. **Encryption Primitive:** The attacker provides their desired "new password" to this feature, forcing the application to encrypt it and store it in a temporary table (e.g., `GlobalSettings`).
3. **SQL Injection (Exfiltration):** Using the SQLi in `classId`, the attacker retrieves the encrypted version of their password from the database.
4. **SQL Injection (Authentication Bypass):** The attacker uses the SQLi again to `UPDATE` the `WebUser` table, overwriting the `admin` user's `sPassword` field with the previously captured encrypted string.
5. **Login:** The attacker logs into the web console as `admin` using the plaintext password they chose.
## Impact
- **Confidentiality:** Total. Full access to the database and all managed network credentials (SMB, SSH, SNMP).
- **Integrity:** Total. Ability to modify database records and application configuration.
- **Availability:** High. Potential to disrupt network monitoring or modify system state.
- **Post-Exploitation:** Once authenticated, the product's design (e.g., running PowerShell/SSH scripts for network management) allows for Remote Code Execution (RCE) on managed endpoints.
## Remediation
### Patches
- Progress has released **WhatsUp Gold 2023.1.3**. Users should upgrade to this version or later immediately.
### Workarounds
- Fast-track patching is the primary recommendation.
- Restrict access to the WhatsUp Gold web interface to trusted IP addresses only (VPN or internal management VLAN).
## Detection
- **Indicators of Compromise (IoC):**
- Audit logs showing unexpected modifications to the `WebUser` table, specifically for the `admin` account.
- SQL Error Logs containing syntax errors related to the `StatisticalMonitorLog` or `PerformanceMonitorErrorsController`.
- Web server logs showing unusual traffic to `/NmConsole/Platform/Filter/AlertCenterItemsReportThresholds` or `/NmConsole/WugSystemAppSettings/JMXSecurity`.
- **Keywords:** Look for the string `psyduck` in database fields or logs (as used in the researcher's PoC).
## References
- Vendor Security Bulletin: [https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024](https://community.progress.com/s/article/WhatsUp-Gold-Security-Bulletin-August-2024)
- ZDI Advisory: [https://www.zerodayinitiative.com/advisories/ZDI-24-1185/](https://www.zerodayinitiative.com/advisories/ZDI-24-1185/)
- Researcher PoC: [https://github.com/sinsinology/CVE-2024-6670](https://github.com/sinsinology/CVE-2024-6670)