CVE-2021-3604 – CVE-2021-3604 is a critical SQL injection vulne... (How to Fix)

Q: What is the severity of CVE-2021-3604?

CVE-2021-3604 has a CVSS score of 9.8 (CRITICAL). CVE-2021-3604 is a critical SQL injection vulnerability in Primion Digitek Secure 8 (Evalos) that allows remote attackers to extract sensitive user and administrator account data from the database. Organizations using affected versions of this industrial control system software are at risk of credential theft and potential system compromise.

📋 TL;DR

CVE-2021-3604 is a critical SQL injection vulnerability in Primion Digitek Secure 8 (Evalos) that allows remote attackers to extract sensitive user and administrator account data from the database. Organizations using affected versions of this industrial control system software are at risk of credential theft and potential system compromise.

💻 Affected Systems

Products:

Primion Digitek Secure 8 (Evalos)

Versions: All versions prior to patched version (specific version information not provided in references)

Operating Systems: Unknown - Likely Windows-based given ICS context

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Secure 8 component of Primion Digitek systems used in industrial control environments. The vulnerability exists in how user input is processed.

📦 What is this software?

Secure 8 by Primion Digitek

View all CVEs affecting Secure 8 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the ICS system, credential theft leading to lateral movement within industrial networks, potential manipulation of industrial processes, and data exfiltration.

🟠

Likely Case

Extraction of administrator credentials and user data, enabling further attacks on the ICS network and potential unauthorized access to industrial control systems.

🟢

If Mitigated

Limited impact with proper input validation, network segmentation, and monitoring in place, though the vulnerability still presents a significant risk.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication, making internet-facing systems extremely vulnerable to attack.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows unauthenticated SQL injection attacks that can compromise the entire system.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Blind SQL injection typically requires more effort than regular SQLi but is still relatively straightforward for skilled attackers. The vulnerability is remotely exploitable without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Specific version not provided in references - contact vendor for patched version

Vendor Advisory: https://www.incibe-cert.es/en/early-warning/ics-advisories/primion-digitek-secure-8-sql-injection-vulnerability

Restart Required: Yes

Instructions:

1. Contact Primion Digitek for the security patch. 2. Apply the patch following vendor instructions. 3. Restart affected systems. 4. Verify the fix is properly applied.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Secure 8 systems from untrusted networks and implement strict firewall rules

Web Application Firewall

all

Deploy WAF with SQL injection protection rules to block exploitation attempts

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected systems from untrusted networks
Deploy intrusion detection systems and monitor for SQL injection patterns in network traffic

🔍 How to Verify

Check if Vulnerable:

Test for SQL injection vulnerabilities using authorized penetration testing tools against the Secure 8 interface

Check Version:

Check system version through Secure 8 administration interface or contact vendor

Verify Fix Applied:

Re-test for SQL injection after patch application and verify no database errors or data leakage occurs

📡 Detection & Monitoring

Log Indicators:

Unusual database queries
SQL syntax errors in application logs
Multiple failed login attempts followed by unusual queries

Network Indicators:

SQL injection patterns in HTTP requests
Unusual database connection patterns
Data exfiltration patterns

SIEM Query:

source="secure8" AND ("sql" OR "database" OR "union select" OR "sleep(" OR "waitfor delay")

📊 Metadata

CVE ID: CVE-2021-3604

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: June 18, 2021

Last Updated: November 21, 2024

🔗 References

http://titaniumaics.blogspot.com/2021/06/vulnerabilidad-zero-day-en-primion.html Exploit,Third Party Advisory
https://www.incibe-cert.es/en/early-warning/ics-advisories/primion-digitek-secure-8-sql-injection-vulnerability Third Party Advisory
http://titaniumaics.blogspot.com/2021/06/vulnerabilidad-zero-day-en-primion.html Exploit,Third Party Advisory
https://www.incibe-cert.es/en/early-warning/ics-advisories/primion-digitek-secure-8-sql-injection-vulnerability Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3604, you might also want to check these: