CVE-2023-4539 – This vulnerability allows attackers to access s... (How to Fix)

Q: What is the severity of CVE-2023-4539?

CVE-2023-4539 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to access sensitive data in Comarch ERP XL databases using a hard-coded password that's identical across all installations. It affects all Comarch ERP XL installations from version 2020.2.2 through 2023.2. Attackers with network access to the database can exploit this to retrieve embedded sensitive information.

📋 TL;DR

This vulnerability allows attackers to access sensitive data in Comarch ERP XL databases using a hard-coded password that's identical across all installations. It affects all Comarch ERP XL installations from version 2020.2.2 through 2023.2. Attackers with network access to the database can exploit this to retrieve embedded sensitive information.

💻 Affected Systems

Products:

Comarch ERP XL

Versions: 2020.2.2 through 2023.2

Operating Systems: All supported OS for Comarch ERP XL

Default Config Vulnerable: ⚠️ Yes

Notes: All installations within the affected version range are vulnerable by default due to the hard-coded password.

📦 What is this software?

Erp Xl by Comarch

View all CVEs affecting Erp Xl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to theft of all sensitive business data, financial information, customer records, and intellectual property stored in the ERP system.

🟠

Likely Case

Unauthorized access to sensitive business data, potentially including financial records, customer information, and operational data stored in the database.

🟢

If Mitigated

Limited or no data exposure if proper network segmentation and access controls prevent unauthorized database connections.

🌐 Internet-Facing: HIGH if database is internet-accessible, as attackers can directly connect using the hard-coded credentials.

🏢 Internal Only: MEDIUM to HIGH depending on internal network segmentation and access controls, as authenticated internal users or compromised internal systems could exploit this.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only knowledge of the hard-coded password and network access to the database. No authentication to the ERP system itself is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2023.3 or later

Vendor Advisory: https://cert.pl/en/posts/2024/02/CVE-2023-4537/

Restart Required: Yes

Instructions:

1. Upgrade Comarch ERP XL to version 2023.3 or later. 2. Change the password for the affected database account. 3. Restart the ERP application and database services.

🔧 Temporary Workarounds

Change Database Account Password

all

Manually change the password for the hard-coded database account to a strong, unique password.

ALTER USER [account_name] IDENTIFIED BY '[new_strong_password]';

Restrict Database Network Access

all

Implement network segmentation and firewall rules to restrict database access to only authorized application servers.

🧯 If You Can't Patch

Implement strict network segmentation to isolate the database from untrusted networks
Change the hard-coded database account password immediately and monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check Comarch ERP XL version via administration console or configuration files. If version is between 2020.2.2 and 2023.2 inclusive, the system is vulnerable.

Check Version:

Check ERP administration panel or consult Comarch documentation for version checking commands specific to your installation.

Verify Fix Applied:

Verify version is 2023.3 or later and attempt to connect to the database using the previously known hard-coded password (should fail).

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts to database with the hard-coded password
Unusual database queries from unexpected sources
Database connection attempts from unauthorized IP addresses

Network Indicators:

Database connection attempts on port 1433 (MSSQL) or 1521 (Oracle) from unexpected sources
Unusual data extraction patterns in database traffic

SIEM Query:

source="database_logs" AND (event_type="authentication_failure" AND user="[hardcoded_account]") OR (source_ip NOT IN [allowed_ips] AND destination_port IN (1433,1521))

📊 Metadata

CVE ID: CVE-2023-4539

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-798

Published: February 15, 2024

Last Updated: January 23, 2025

🔗 References

https://cert.pl/en/posts/2024/02/CVE-2023-4537/ Third Party Advisory
https://cert.pl/posts/2024/02/CVE-2023-4537/ Third Party Advisory
https://cert.pl/en/posts/2024/02/CVE-2023-4537/ Third Party Advisory
https://cert.pl/posts/2024/02/CVE-2023-4537/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-4539, you might also want to check these: