CVE-2021-44617
📋 TL;DR
This CVE describes a SQL injection vulnerability in the Ramo plugin for GLPI 9.4.6 that allows attackers to execute arbitrary SQL commands via the idu parameter. This affects all GLPI installations using the vulnerable Ramo plugin version. Attackers can potentially access, modify, or delete database content.
💻 Affected Systems
- GLPI with Ramo plugin
📦 What is this software?
Glpi by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.
Likely Case
Unauthorized database access allowing extraction of sensitive information like user credentials, configuration data, or business information.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing SQL injection execution.
🎯 Exploit Status
Exploit details are publicly available via Packet Storm Security. The vulnerability requires access to the vulnerable endpoint but may not require authentication depending on GLPI configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GLPI and Ramo plugin updates after 9.4.6
Vendor Advisory: Not specified in provided references
Restart Required: No
Instructions:
1. Update GLPI to latest version. 2. Update Ramo plugin to patched version. 3. Apply vendor security patches. 4. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Disable Ramo plugin
linuxTemporarily disable the vulnerable Ramo plugin to prevent exploitation
mv plugins/ramo plugins/ramo.disabled
Restart web server
Web Application Firewall rule
allBlock requests to the vulnerable endpoint plugins/ramo/ramoapirest.php/getOutdated
Add WAF rule to block /plugins/ramo/ramoapirest.php/getOutdated
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries for the idu parameter
- Restrict network access to GLPI instance and implement network segmentation
🔍 How to Verify
Check if Vulnerable:
Check if GLPI version is 9.4.6 and Ramo plugin is installed. Test the endpoint plugins/ramo/ramoapirest.php/getOutdated with SQL injection payloads.Check Version:
Check GLPI version in admin interface or via php file that displays versionVerify Fix Applied:
Verify GLPI and Ramo plugin are updated to versions after the fix. Test the vulnerable endpoint with SQL injection payloads to confirm they're blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple requests to plugins/ramo/ramoapirest.php/getOutdated with suspicious parameters
- SQL error messages in web server logs
Network Indicators:
- Requests containing SQL injection patterns to the vulnerable endpoint
- Unusual database traffic from web server
SIEM Query:
source="web_logs" AND uri="/plugins/ramo/ramoapirest.php/getOutdated" AND (param="idu" AND value CONTAINS "' OR '" OR value CONTAINS "UNION" OR value CONTAINS "SELECT")