CVE-2024-8877

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Sep 25, 2024 / Updated: 56d ago

010
CVSS 6.9EPSS 0.04%Medium
CVE info copied to clipboard

Summary

Improper neutralization of special elements results in a SQL Injection vulnerability in Riello Netman 204. It is only limited to the SQLite database of measurement data. This issue affects Netman 204 through version 4.05.

Impact

This SQL Injection vulnerability could allow an attacker to execute arbitrary SQL commands on the affected SQLite database. Given the CVSS v3.1 base score of 9.8 (Critical), the potential impacts are severe: 1. Data Confidentiality: High impact, potentially allowing unauthorized access to sensitive measurement data stored in the SQLite database. 2. Data Integrity: High impact, as an attacker could potentially modify or delete existing measurement data. 3. System Availability: High impact, possibly leading to database corruption or denial of service. The vulnerability requires no user interaction and can be exploited remotely over the network without requiring any privileges, making it relatively easy for attackers to exploit.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability affects Netman 204 firmware versions up to and including 4.05. Users should upgrade to a version newer than 4.05 as soon as possible.

Mitigation

1. Immediately update Riello Netman 204 firmware to a version newer than 4.05. 2. If immediate patching is not possible, consider implementing network segmentation to limit access to the affected devices. 3. Monitor for suspicious database activities or unexpected queries. 4. Implement input validation and parameterized queries if possible to prevent SQL injection attacks. 5. Regularly backup the measurement data to ensure quick recovery in case of a successful attack. 6. Conduct a thorough review of access logs to detect any potential exploitation attempts.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8877. See article

Sep 20, 2024 at 10:22 AM / CyberDanube
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 24, 2024 at 3:28 PM
CVE Assignment

NVD published the first details for CVE-2024-8877

Sep 25, 2024 at 1:15 AM
CVSS

A CVSS base score of 6.9 has been assigned.

Sep 25, 2024 at 1:21 AM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.6%)

Sep 25, 2024 at 10:26 AM
Static CVE Timeline Graph

Affected Systems

Riello-ups/netman_204_firmware
+null more

Patches

cyberdanube.com
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

Netman 204 4.05 SQL Injection / Unauthenticated Password Reset
2) Unauthenticated Password Reset (CVE-2024-8878) By navigating to the endpoint /recoverpassword.html an attacker can gather the netmanid from the UPS. Blagojevic (Office Vienna) | S.
Netman 204 4.05 SQL Injection / Unauthenticated Password Reset
2) Unauthenticated Password Reset (CVE-2024-8878) By navigating to the endpoint /recoverpassword.html an attacker can gather the netmanid from the UPS. Blagojevic (Office Vienna) | S.
Netman 204 4.05 SQL Injection / Unauthenticated Password Reset
Topic: Netman 204 4.05 SQL Injection / Unauthenticated Password Reset Risk: Medium Text:CyberDanube Security Research 20240919-0 - title Multiple Vulnerabilities ...
ATG: critical vulnerabilities on fuel stations
In addition to the ATC vulnerabilities, security flaws have also been discovered in the open-source solution OpenPLC, including a serious stack-based buffer overflow bug (CVE-2024-34026, CVSS score: 9.0) that could be exploited to gain access to remote code execution. Since not only ATGs are involved, the development comes as the Cybersecurity and Infrastructure Security Agency (CISA) of the United States has reported an increase in threats to Internet-accessible OT and ICS systems including those in the Water and Wastewater Systems (WWS) sector.
Critical Flaws In Tank Gauge Systems Expose Gas Stations To Remote Attacks
Security flaws have also been uncovered in the open-source OpenPLC solution, including a critical stack-based buffer overflow bug (CVE-2024-34026, CVSS score: 9.0) that could be exploited to achieve remote code execution. Also of note are several critical vulnerabilities in the AJCloud IP camera management platform that, if successfully exploited, could lead to the exposure of sensitive user data and provide attackers with full remote control of any camera connected to the smart home cloud service.
See 23 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI