CVE-2020-13968 – This vulnerability allows SQL injection attacks... (How to Fix)

📋 TL;DR

This vulnerability allows SQL injection attacks via the 'strSessao' parameter in CRK Business Platform. Attackers can execute arbitrary SQL commands against the database, potentially compromising data confidentiality, integrity, and availability. All users of CRK Business Platform version 2019.1 and earlier are affected.

💻 Affected Systems

Products:

CRK Business Platform

Versions: <= 2019.1

Operating Systems: Any OS running CRK Business Platform

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployment configurations where the vulnerable version is installed.

📦 What is this software?

Business Platform by Crk

View all CVEs affecting Business Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, authentication bypass, and potential remote code execution on the underlying server.

🟠

Likely Case

Unauthorized data access, data manipulation, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public Nmap NSE script available for exploitation. SQL injection via URL parameter makes exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://crk.com.br/produtos/

Restart Required: No

Instructions:

1. Contact CRK vendor for updated version
2. Apply vendor-provided patch
3. Test in non-production environment first

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF with SQL injection rules to block malicious requests

Input Validation Filter

all

Implement server-side filtering for 'strSessao' parameter

🧯 If You Can't Patch

Isolate the CRK Business Platform behind a reverse proxy with strict input validation
Implement network segmentation to limit database access from application servers

🔍 How to Verify

Check if Vulnerable:

Use the Nmap NSE script from GitHub repository to test for vulnerability

Check Version:

Check CRK Business Platform version in admin interface or configuration files

Verify Fix Applied:

Retest with NSE script after applying fixes; verify no SQL injection payloads succeed

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple requests with SQL keywords in parameters

Network Indicators:

HTTP requests containing SQL injection payloads in 'strSessao' parameter

SIEM Query:

source="web_logs" AND (strSessao CONTAINS "UNION" OR strSessao CONTAINS "SELECT" OR strSessao CONTAINS "INSERT")

📊 Metadata

CVE ID: CVE-2020-13968

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: December 23, 2020

Last Updated: November 21, 2024

🔗 References

http://crk.com.br/produtos/ Product,Vendor Advisory
https://github.com/r3naissance/nse/blob/master/http-vuln-cve2020-13968.nse Exploit,Third Party Advisory
http://crk.com.br/produtos/ Product,Vendor Advisory
https://github.com/r3naissance/nse/blob/master/http-vuln-cve2020-13968.nse Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-13968, you might also want to check these: