CVE-2024-6672 Overview
CVE-2024-6672 is a SQL Injection vulnerability affecting Progress WhatsUp Gold versions released before 2024.0.0. This vulnerability allows an authenticated low-privileged attacker to achieve privilege escalation by modifying a privileged user's password through malicious SQL queries.
Critical Impact
An authenticated attacker with minimal privileges can escalate to administrative access by manipulating the application's database queries to modify privileged user credentials.
Affected Products
- Progress WhatsUp Gold versions prior to 2024.0.0
- All WhatsUp Gold deployments running vulnerable versions
Discovery Timeline
- 2024-08-29 - CVE-2024-6672 published to NVD
- 2024-09-04 - Last updated in NVD database
Technical Details for CVE-2024-6672
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) exists in Progress WhatsUp Gold's authentication and user management components. The application fails to properly sanitize user-supplied input before incorporating it into SQL queries, allowing attackers to inject malicious SQL statements.
The vulnerability is particularly severe because it enables privilege escalation through password modification. An attacker with valid low-privileged credentials can craft SQL injection payloads that directly manipulate the user credential store, allowing them to reset administrative passwords and gain full control of the WhatsUp Gold monitoring platform.
WhatsUp Gold is widely deployed as a network monitoring solution in enterprise environments, making this vulnerability especially concerning as it could provide attackers with visibility into critical network infrastructure and potentially serve as a pivot point for lateral movement.
Root Cause
The root cause of CVE-2024-6672 is improper input validation and insufficient parameterization of SQL queries in the WhatsUp Gold application. User-controlled input is concatenated directly into SQL statements without proper sanitization or the use of prepared statements, allowing attackers to break out of the intended query context and execute arbitrary SQL commands.
Attack Vector
The attack is network-based and requires authentication with low-privileged credentials. The attacker must have valid access to the WhatsUp Gold application, after which they can exploit the SQL injection flaw through normal application interfaces.
The exploitation process involves:
- Authentication to WhatsUp Gold with low-privileged credentials
- Identification of vulnerable input fields that interact with SQL queries
- Injection of malicious SQL statements designed to modify password hashes of privileged users
- Authentication as the compromised privileged user with the newly set password
For detailed technical information on exploitation, refer to the Progress WhatsUp Gold Security Bulletin.
Detection Methods for CVE-2024-6672
Indicators of Compromise
- Unexpected password changes for administrative or privileged accounts
- Anomalous database queries containing SQL injection patterns in application logs
- Unusual login activity from low-privileged accounts followed by privileged access
- Database audit logs showing direct credential table modifications
Detection Strategies
- Monitor WhatsUp Gold application logs for SQL error messages or unusual query patterns
- Implement database activity monitoring to detect unauthorized credential modifications
- Review authentication logs for privilege escalation patterns where low-privileged users gain elevated access
- Deploy web application firewall (WAF) rules to detect SQL injection attempts
Monitoring Recommendations
- Enable detailed logging in WhatsUp Gold and forward logs to a SIEM solution
- Configure alerts for administrative password changes or credential modifications
- Monitor for multiple failed SQL queries that may indicate injection attempts
- Establish baseline authentication patterns and alert on deviations
How to Mitigate CVE-2024-6672
Immediate Actions Required
- Upgrade Progress WhatsUp Gold to version 2024.0.0 or later immediately
- Review administrative account credentials and reset passwords for all privileged accounts
- Audit user access logs to identify potential exploitation attempts
- Restrict network access to WhatsUp Gold to authorized users and networks only
Patch Information
Progress has released WhatsUp Gold version 2024.0.0 which addresses this SQL injection vulnerability. Organizations should upgrade to this version or later as soon as possible. The security advisory with full details is available at the Progress WhatsUp Gold Security Bulletin.
Workarounds
- Implement network segmentation to limit access to WhatsUp Gold management interfaces
- Deploy a web application firewall (WAF) with SQL injection detection rules in front of the application
- Enforce principle of least privilege by reviewing and minimizing user account permissions
- Enable database audit logging to detect and alert on suspicious query activity
# Example: Restrict WhatsUp Gold access via firewall rules
# Allow access only from trusted management network
iptables -A INPUT -p tcp --dport 443 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
