CVE-2021-28157
📋 TL;DR
This SQL injection vulnerability in Devolutions Server allows administrative users to execute arbitrary SQL commands via the username parameter in the user deletion API endpoint. It affects Devolutions Server versions before 2021.1 and Devolutions Server LTS versions before 2020.3.18. Administrative users with access to the API can exploit this to manipulate the database.
💻 Affected Systems
- Devolutions Server
- Devolutions Server LTS
📦 What is this software?
Devolutions Server by Devolutions
Devolutions Server by Devolutions
⚠️ Risk & Real-World Impact
Worst Case
Administrative user gains full database control, leading to data theft, data destruction, privilege escalation, or complete system compromise.
Likely Case
Administrative user executes unauthorized SQL queries to access, modify, or delete sensitive data stored in the database.
If Mitigated
With proper access controls and monitoring, exploitation would be limited to authorized administrative actions and detected quickly.
🎯 Exploit Status
Exploitation requires administrative credentials and knowledge of SQL injection techniques. The vulnerability is in a specific API endpoint used for user management.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Devolutions Server 2021.1 or later, Devolutions Server LTS 2020.3.18 or later
Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2021-0004
Restart Required: Yes
Instructions:
1. Backup your Devolutions Server database and configuration. 2. Download the patched version from Devolutions website. 3. Run the installer to upgrade to version 2021.1 or later (or 2020.3.18 or later for LTS). 4. Restart the Devolutions Server service.
🔧 Temporary Workarounds
Restrict API Access
allLimit network access to the Devolutions Server API endpoints to only trusted administrative networks.
Use firewall rules to restrict access to port 443 (or your configured HTTPS port) to specific IP ranges.
Temporary User Management Disable
allDisable the vulnerable user deletion functionality until patching can be completed.
Configure role-based access controls to temporarily remove user deletion permissions from administrative accounts.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Devolutions Server from untrusted networks.
- Enhance monitoring of API endpoint access and database query patterns for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check Devolutions Server version in web interface under Help > About or via server logs. Compare against affected versions.Check Version:
Check web interface or examine server installation directory for version information.Verify Fix Applied:
Confirm version is 2021.1 or later (or 2020.3.18 or later for LTS) and test user deletion functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed or unusual user deletion attempts in application logs
- API requests to /api/security/userinfo/delete with suspicious username parameters
Network Indicators:
- Unusual traffic patterns to the API endpoint
- SQL error messages in HTTP responses
SIEM Query:
source="devolutions_server" AND (uri_path="/api/security/userinfo/delete" AND (username CONTAINS "'" OR username CONTAINS "--" OR username CONTAINS ";"))