CVE-2021-41609 – This is a critical SQL injection vulnerability ... (How to Fix)

Q: What is the severity of CVE-2021-41609?

CVE-2021-41609 has a CVSS score of 9.8 (CRITICAL). This is a critical SQL injection vulnerability in SelectSurvey.NET that allows unauthenticated remote attackers to extract sensitive data from the backend database. Attackers can use boolean-based blind and UNION injection techniques to retrieve information. All organizations running vulnerable versions of SelectSurvey.NET are affected.

📋 TL;DR

This is a critical SQL injection vulnerability in SelectSurvey.NET that allows unauthenticated remote attackers to extract sensitive data from the backend database. Attackers can use boolean-based blind and UNION injection techniques to retrieve information. All organizations running vulnerable versions of SelectSurvey.NET are affected.

💻 Affected Systems

Products:

SelectSurvey.NET

Versions: All versions before 5.052.000

Operating Systems: Windows (as SelectSurvey.NET is typically deployed on Windows/IIS)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the UploadedImageDisplay.aspx endpoint's ID parameter. No special configuration is required for exploitation.

📦 What is this software?

Selectsurvey.net by Classapps

View all CVEs affecting Selectsurvey.net →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including extraction of sensitive survey data, user credentials, PII, and potential lateral movement to other systems.

🟠

Likely Case

Data exfiltration of survey responses, user information, and potentially authentication credentials from the database.

🟢

If Mitigated

Limited impact with proper WAF rules, input validation, and database permissions restricting sensitive data access.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible remotely without authentication, making internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internally, unauthenticated access to the vulnerable endpoint poses significant data breach risks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection techniques are well-documented and tools like sqlmap can automate exploitation. The vulnerability requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.052.000 and later

Vendor Advisory: https://www.classapps.com/product_ssv5.aspx

Restart Required: Yes

Instructions:

1. Download SelectSurvey.NET version 5.052.000 or later from ClassApps. 2. Backup current installation and database. 3. Install the updated version following vendor instructions. 4. Restart IIS/application services. 5. Verify the patch is applied by checking version.

🔧 Temporary Workarounds

WAF Rule Implementation

all

Implement Web Application Firewall rules to block SQL injection patterns targeting the UploadedImageDisplay.aspx endpoint

WAF-specific rules to block SQL injection patterns in ID parameter

Endpoint Restriction

windows

Restrict access to UploadedImageDisplay.aspx endpoint using firewall rules or authentication

IIS URL Rewrite rule to block or require auth for UploadedImageDisplay.aspx

🧯 If You Can't Patch

Implement strict input validation and parameterized queries for the ID parameter in UploadedImageDisplay.aspx
Deploy a WAF with SQL injection protection rules and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Test the UploadedImageDisplay.aspx endpoint with SQL injection payloads in the ID parameter or check application version

Check Version:

Check application version in admin interface or web.config file

Verify Fix Applied:

Verify version is 5.052.000 or later and test that SQL injection attempts no longer succeed

📡 Detection & Monitoring

Log Indicators:

SQL error messages in IIS logs
Multiple requests to UploadedImageDisplay.aspx with suspicious ID parameters
UNION SELECT patterns in URL parameters

Network Indicators:

SQL injection patterns in HTTP requests to UploadedImageDisplay.aspx
Database connection spikes from web server

SIEM Query:

source="IIS" AND url="*UploadedImageDisplay.aspx*" AND (url="*UNION*" OR url="*SELECT*" OR url="*OR*1=1*")

📊 Metadata

CVE ID: CVE-2021-41609

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: January 28, 2022

Last Updated: November 21, 2024

🔗 References

https://www.classapps.com/product_ssv5.aspx Product,Vendor Advisory
https://www.optiv.com/insights/source-zero/blog/classapps-inc-selectsurveynet-v50-vulnerabilities-disclosure Exploit,Mitigation,Third Party Advisory
https://www.classapps.com/product_ssv5.aspx Product,Vendor Advisory
https://www.optiv.com/insights/source-zero/blog/classapps-inc-selectsurveynet-v50-vulnerabilities-disclosure Exploit,Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41609, you might also want to check these: