CVE-2020-10582
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary SQL commands through the /admin/display_errors.php script in Invigo ADM. Attackers can read, modify, or delete database data, potentially compromising the entire system. All organizations using Invigo ADM through version 5.0 are affected.
💻 Affected Systems
- Invigo Automatic Device Management (ADM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including data theft, data manipulation, privilege escalation, and potential lateral movement to connected systems.
Likely Case
Database compromise leading to sensitive information disclosure, unauthorized data modification, and potential administrative access to the ADM system.
If Mitigated
Limited impact if proper network segmentation, WAF rules, and input validation are in place, though the vulnerability remains exploitable.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized. The high CVSS score and remote exploitability make this attractive to attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.on-x.com/sites/default/files/security_advisory_-_multiple_vulnerabilities_-_invigo_adm.pdf
Restart Required: No
Instructions:
1. Check vendor advisory for patch availability. 2. If patch exists, apply following vendor instructions. 3. Verify fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Disable display_errors.php
linuxRemove or restrict access to the vulnerable script
mv /path/to/admin/display_errors.php /path/to/admin/display_errors.php.disabled
chmod 000 /path/to/admin/display_errors.php
Implement WAF Rules
allAdd SQL injection detection and blocking rules to web application firewall
🧯 If You Can't Patch
- Network segmentation: Isolate Invigo ADM systems from internet and restrict internal access
- Implement strict input validation and parameterized queries if source code access is available
🔍 How to Verify
Check if Vulnerable:
Test the /admin/display_errors.php endpoint with SQL injection payloads or check version against affected rangeCheck Version:
Check Invigo ADM administration interface or configuration files for version informationVerify Fix Applied:
Test the endpoint after patching/workaround to confirm SQL injection no longer works📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts or SQL errors in web server logs
- Access to display_errors.php with suspicious parameters
Network Indicators:
- HTTP requests to /admin/display_errors.php containing SQL keywords (SELECT, UNION, etc.)
- Unusual database connections from web server
SIEM Query:
source="web_logs" AND uri="/admin/display_errors.php" AND (query CONTAINS "SELECT" OR query CONTAINS "UNION" OR query CONTAINS "OR 1=1")