CVE-2021-37749 – CVE-2021-37749 is a blind SQL injection vulnera... (How to Fix)

Q: What is the severity of CVE-2021-37749?

CVE-2021-37749 has a CVSS score of 9.8 (CRITICAL). CVE-2021-37749 is a blind SQL injection vulnerability in Hexagon GeoMedia WebMap 2020 that allows attackers to execute arbitrary SQL commands via the Id parameter in the GetMap method. This affects organizations using vulnerable versions of the web mapping service, potentially exposing sensitive database information. The vulnerability is particularly dangerous because it can be exploited without authentication.

📋 TL;DR

CVE-2021-37749 is a blind SQL injection vulnerability in Hexagon GeoMedia WebMap 2020 that allows attackers to execute arbitrary SQL commands via the Id parameter in the GetMap method. This affects organizations using vulnerable versions of the web mapping service, potentially exposing sensitive database information. The vulnerability is particularly dangerous because it can be exploited without authentication.

💻 Affected Systems

Products:

Hexagon GeoMedia WebMap

Versions: 2020 versions before Update 2 (specifically before version 16.6.2.66)

Operating Systems: Windows Server (typical deployment)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the MapService.svc endpoint which is typically exposed as part of the web mapping service.

📦 What is this software?

Geomedia Webmap by Hexagongeospatial

View all CVEs affecting Geomedia Webmap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, or full system takeover through SQL injection escalation techniques.

🟠

Likely Case

Extraction of sensitive database information, including user credentials, configuration data, and proprietary mapping data.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing information disclosure about database structure.

🌐 Internet-Facing: HIGH - The vulnerability affects a web service endpoint that is typically exposed to the internet for mapping functionality.

🏢 Internal Only: MEDIUM - Even internal deployments are at risk from insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Blind SQL injection requires more effort than traditional SQLi but tools like sqlmap can automate exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2020 Update 2 (version 16.6.2.66)

Vendor Advisory: https://download.hexagongeospatial.com/en/downloads/webgis/geomedia-webmap-2020-update-2

Restart Required: Yes

Instructions:

1. Download Update 2 from Hexagon's download portal. 2. Backup current installation. 3. Run the update installer. 4. Restart the GeoMedia WebMap services. 5. Verify the version shows 16.6.2.66 or higher.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement web application firewall rules or input validation to block SQL injection patterns in the Id parameter.

WAF rule: Block requests containing SQL keywords in the Id parameter

Network Segmentation

all

Restrict access to the MapService.svc endpoint to only trusted IP addresses or networks.

Firewall rule: Allow access to /MapService.svc only from specific IP ranges

🧯 If You Can't Patch

Implement strict input validation and parameterized queries at the application layer
Deploy a web application firewall with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Test the MapService.svc endpoint with SQL injection payloads in the Id parameter or check the installed version.

Check Version:

Check the GeoMedia WebMap administration interface or installation directory for version information.

Verify Fix Applied:

Verify the version is 16.6.2.66 or higher and test that SQL injection attempts are properly rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple failed requests to MapService.svc with SQL-like patterns in parameters

Network Indicators:

HTTP requests to MapService.svc containing SQL keywords (SELECT, UNION, etc.) in the Id parameter

SIEM Query:

source="web_logs" AND uri="/MapService.svc" AND (param="Id" AND value CONTAINS "SELECT" OR value CONTAINS "UNION" OR value CONTAINS "' OR '")

📊 Metadata

CVE ID: CVE-2021-37749

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: August 30, 2021

Last Updated: November 21, 2024

🔗 References

https://download.hexagongeospatial.com/en/downloads/webgis/geomedia-webmap-2020-update-2 Vendor Advisory
https://www.hexagongeospatial.com/products/power-portfolio/geomedia-webmap Product,Vendor Advisory
https://www.silentgrid.com/blog/cve-2021-37749-hexagon-geomedia-webmap-2020-blind-sql-injection/ Exploit,Third Party Advisory
https://download.hexagongeospatial.com/en/downloads/webgis/geomedia-webmap-2020-update-2 Vendor Advisory
https://www.hexagongeospatial.com/products/power-portfolio/geomedia-webmap Product,Vendor Advisory
https://www.silentgrid.com/blog/cve-2021-37749-hexagon-geomedia-webmap-2020-blind-sql-injection/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37749, you might also want to check these: