In conjunction with a third-party security researcher, Assetnote, we addressed a series of chained vulnerabilities within Progress WhatsUp Gold. Learn how our combined efforts lead us to fix the identified issues and mitigate the risks and protect our customers.
Earlier this year, Assetnote’s Shubham Shah, security researcher and CTO of a continuous security monitoring platform company, informed us of what he described as a “perfect storm of vulnerabilities” within versions 16.1 -21.1.1 and 22.0.0 of Progress WhatsUp Gold. And within the eye of this so-called storm lies the ability for an attacker to obtain sensitive information, including encrypted passwords. With this information in hand, we knew it was time to get to work.
With the help of Assetnote we were able to productively resolve the security flaws found within WhatsUp Gold quickly and effectively. The vulnerabilities Assetnote found were within WhatsUp Gold versions 21.0.0 or higher, in which an unauthenticated API endpoint could enable an attacker to obtain unauthorized access to the WhatsUp Gold application and, in turn, the underlying operating system.
The following vulnerabilities were chained together and our advisory of the issues identified can be found here. This was also widely communicated out to the WhatsUp Gold customer base on May 11, 2022.
- CVE-2022-29845: Local File Disclosure
- CVE-2022-29846: WhatsUp Gold Serial Number Disclosure
- CVE-2022-29847: Unauthenticated Server-Side Request Forgery (SSRF)
- CVE-2022-29848: Authenticated Server-Side Request Forgery (SSRF)
Assetnote’s security researcher was able to simulate each of the above attacks and provide us the illustrations and visibility needed to start developing the appropriate updates.
Responsibly disclosing vulnerabilities and working in a coordinated fashion with researchers is always a priority for Progress.
Over the course of one month (April 11 – May 11, 2022), we synchronized our efforts with Assetnote. The company was willing to highlight demonstrations of what vulnerabilities they found and set up private meetings with us.
Assetnote’s findings, which provided us updated documentation, enabled the release WhatsUp Gold versions 22.0.1 and 21.1.2, which remedied the identified chain vulnerabilities. Please review the KB article released on May 11, 2022, for more details
Our commitment to the swift remediation of security vulnerabilities.
If you have WhatsUp Gold version 21.0.0 or higher currently deployed, we strongly encourage you to read our WhatsUp Gold community post and to take the appropriate action. Not only does the post go into detail about this incident, but it provides a link to download the latest update that remedies the issue.
Finally, we would like to extend a big thank you to Shubham Shah, Co-Founder and CTO of Assetnote, and his team for their research and proactively reaching out to us.
If you have any questions, concerns, or problems related to this issue, please login to open a new Technical Support case here, or reach out to your implementation partner. Technical Support is available to WhatsUp Gold customers under warranty and active maintenance.
For additional information or reporting vulnerabilities as it relates to other Progress products, refer to the Progress Security Center: https://www.progress.com/security