CVE-2021-32953
📋 TL;DR
This is a critical SQL injection vulnerability in MDT AutoSave software that allows attackers to create new administrative users and bypass authentication. It affects MDT AutoSave versions prior to v6.02.06, primarily impacting industrial control systems and manufacturing environments.
💻 Affected Systems
- MDT AutoSave
📦 What is this software?
Autosave by Auvesy Mdt
Autosave by Auvesy Mdt
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to create administrative accounts, modify system configurations, disrupt industrial processes, and potentially cause physical damage or safety incidents.
Likely Case
Unauthorized access to industrial control systems, data theft, manipulation of industrial processes, and potential ransomware deployment in manufacturing environments.
If Mitigated
Limited impact if proper network segmentation, authentication controls, and monitoring are in place to detect and block SQL injection attempts.
🎯 Exploit Status
SQL injection vulnerabilities are commonly exploited and this CVE has a high CVSS score, making it attractive to attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v6.02.06
Vendor Advisory: https://www.cisa.gov/uscert/ics/advisories/icsa-21-189-02
Restart Required: Yes
Instructions:
1. Download MDT AutoSave v6.02.06 or later from the vendor. 2. Backup current configuration and data. 3. Install the update following vendor instructions. 4. Restart the system. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Segmentation
allIsolate MDT AutoSave systems from untrusted networks and implement strict firewall rules.
Input Validation
allImplement web application firewall (WAF) rules to block SQL injection patterns.
🧯 If You Can't Patch
- Implement strict network access controls to limit connections to MDT AutoSave systems
- Enable detailed logging and monitoring for SQL injection attempts and unauthorized user creation
🔍 How to Verify
Check if Vulnerable:
Check MDT AutoSave version in the application interface or installation directory. Versions below 6.02.06 are vulnerable.Check Version:
Check the application's About dialog or installation properties in Windows.Verify Fix Applied:
Verify the installed version is 6.02.06 or higher and test that SQL injection attempts are properly rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in application logs
- Unexpected user creation events
- Failed authentication attempts followed by successful logins from new accounts
Network Indicators:
- SQL injection patterns in HTTP requests
- Unusual database connection attempts
- Traffic to MDT AutoSave from unexpected sources
SIEM Query:
source="mdt-autosave" AND (event="user_created" OR sql_query="*INSERT*user*" OR sql_query="*UPDATE*permissions*")