CVE-2020-13504 – CVE-2020-13504 is an unauthenticated SQL inject... (How to Fix)

Q: What is the severity of CVE-2020-13504?

CVE-2020-13504 has a CVSS score of 9.8 (CRITICAL). CVE-2020-13504 is an unauthenticated SQL injection vulnerability in the ednareporting.asmx endpoint's AttFilterValue parameter. Attackers can send specially crafted SOAP requests to execute arbitrary SQL commands, potentially compromising database contents. This affects systems running vulnerable versions of the affected software with the vulnerable endpoint exposed.

📋 TL;DR

CVE-2020-13504 is an unauthenticated SQL injection vulnerability in the ednareporting.asmx endpoint's AttFilterValue parameter. Attackers can send specially crafted SOAP requests to execute arbitrary SQL commands, potentially compromising database contents. This affects systems running vulnerable versions of the affected software with the vulnerable endpoint exposed.

💻 Affected Systems

Products:

Delta Electronics DIAEnergie

Versions: DIAEnergie versions prior to 1.7.5

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable ednareporting.asmx endpoint appears to be part of the default installation.

📦 What is this software?

Edna Enterprise Data Historian by Aveva

View all CVEs affecting Edna Enterprise Data Historian →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, data manipulation, privilege escalation, and potential remote code execution through database functions.

🟠

Likely Case

Data exfiltration from the database, potentially including sensitive information like credentials, personal data, or configuration details.

🟢

If Mitigated

Limited impact due to network segmentation, web application firewalls blocking SQL injection patterns, or the endpoint being inaccessible.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and exploitable via HTTP requests, making internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internally, unauthenticated SQL injection provides significant risk for lateral movement and data compromise.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via SOAP requests is well-understood with public proof-of-concept available. The unauthenticated nature makes exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: DIAEnergie 1.7.5 and later

Vendor Advisory: https://www.deltaww.com/en-US/Support/SecurityAdvisory/Pages/2020-09-01.aspx

Restart Required: Yes

Instructions:

1. Download DIAEnergie version 1.7.5 or later from Delta Electronics. 2. Backup current installation and data. 3. Run the installer to upgrade. 4. Restart the DIAEnergie service and verify functionality.

🔧 Temporary Workarounds

Network Access Control

windows

Restrict access to the ednareporting.asmx endpoint using firewall rules or network segmentation.

Windows Firewall: New-InboundFirewallRule -DisplayName 'Block ednareporting' -Direction Inbound -Protocol TCP -LocalPort 80,443 -RemoteAddress 0.0.0.0/0 -Action Block -Program 'Path\to\DIAEnergie.exe'

Web Application Firewall

all

Deploy a WAF with SQL injection protection rules to filter malicious requests.

🧯 If You Can't Patch

Implement strict network segmentation to isolate the vulnerable system from untrusted networks.
Deploy a web application firewall with SQL injection detection and blocking capabilities.

🔍 How to Verify

Check if Vulnerable:

Check if the ednareporting.asmx endpoint responds to HTTP requests and test with SQL injection payloads in the AttFilterValue parameter (use authorized testing only).

Check Version:

Check the DIAEnergie application interface or installation directory for version information.

Verify Fix Applied:

Verify the DIAEnergie version is 1.7.5 or later and test that SQL injection attempts no longer succeed.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple failed login attempts or unusual parameter values in web logs

Network Indicators:

HTTP POST requests to ednareporting.asmx with SQL keywords in parameters
Unusual database query patterns from the application server

SIEM Query:

source="web_logs" AND uri="/ednareporting.asmx" AND (param="AttFilterValue" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "' OR '")

📊 Metadata

CVE ID: CVE-2020-13504

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: September 24, 2020

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2020-1108 Exploit,Technical Description,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1108 Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-13504, you might also want to check these: