CVE-2021-30486
📋 TL;DR
This SQL injection vulnerability in SysAid allows attackers to execute arbitrary SQL commands through multiple AssetManagement endpoints. It affects SysAid On-Premise installations, potentially enabling data theft, modification, or complete system compromise.
💻 Affected Systems
- SysAid On-Premise
📦 What is this software?
Sysaid by Sysaid
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise leading to complete system takeover, data exfiltration, and lateral movement within the network.
Likely Case
Unauthorized access to sensitive asset management data, potential privilege escalation, and database manipulation.
If Mitigated
Limited impact with proper input validation, WAF protection, and network segmentation in place.
🎯 Exploit Status
SQL injection is well-understood with many automated tools available. The referenced blog post demonstrates exploitation techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20.4.50 or later
Vendor Advisory: https://www.sysaid.com/resources/security-advisory
Restart Required: Yes
Instructions:
1. Backup your SysAid database and configuration. 2. Download the latest patch from SysAid support portal. 3. Apply the patch following SysAid's upgrade documentation. 4. Restart the SysAid service. 5. Verify the fix by testing the vulnerable endpoints.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allImplement WAF rules to block SQL injection patterns targeting the vulnerable endpoints
Add WAF rule: Block requests containing SQL keywords (SELECT, UNION, etc.) to /AssetManagement*.jsp
Network Access Control
allRestrict access to SysAid server to only authorized users and systems
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="8080" accept'
netsh advfirewall firewall add rule name="SysAid Access" dir=in action=allow protocol=TCP localport=8080 remoteip=192.168.1.0/24
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for all AssetManagement endpoints
- Disable or restrict access to the vulnerable AssetManagement*.jsp endpoints via web server configuration
🔍 How to Verify
Check if Vulnerable:
Test the endpoints with SQL injection payloads: /AssetManagementChart.jsp?computerID=1' OR '1'='1 or use automated SQL injection scannersCheck Version:
Check SysAid version in Admin interface or via /help/about.jsp endpointVerify Fix Applied:
Attempt SQL injection against patched endpoints and verify they return proper error messages or reject malicious input📡 Detection & Monitoring
Log Indicators:
- Unusual SQL errors in application logs
- Multiple failed login attempts followed by AssetManagement endpoint access
- Requests to AssetManagement*.jsp with SQL keywords in parameters
Network Indicators:
- Unusual database queries from web application server
- Large data transfers from SysAid server to external IPs
SIEM Query:
source="sysaid.logs" AND ("AssetManagementChart.jsp" OR "AssetManagementList.jsp" OR "AssetManagementSummary.jsp") AND ("SQL" OR "syntax" OR "union" OR "select")