CVE-2023-4675 – This SQL injection vulnerability in GM Informat... (How to Fix)

Q: What is the severity of CVE-2023-4675?

CVE-2023-4675 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in GM Information Technologies MDO allows attackers to execute arbitrary SQL commands on the database. It affects all MDO versions through December 29, 2023. Organizations using this software are at risk of data theft, modification, or complete system compromise.

📋 TL;DR

This SQL injection vulnerability in GM Information Technologies MDO allows attackers to execute arbitrary SQL commands on the database. It affects all MDO versions through December 29, 2023. Organizations using this software are at risk of data theft, modification, or complete system compromise.

💻 Affected Systems

Products:

GM Information Technologies MDO

Versions: through 20231229

Operating Systems: Unknown - likely multiple

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of affected versions are vulnerable. No specific configuration makes it immune.

📦 What is this software?

Multi Disciplinary Design Optimization by Gmbilisim

View all CVEs affecting Multi Disciplinary Design Optimization →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, privilege escalation to system administrator, and potential remote code execution on the underlying server.

🟠

Likely Case

Unauthorized data access, data exfiltration, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permissions restricting unauthorized actions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities typically have low exploitation complexity. The vendor did not respond to disclosure attempts, suggesting limited security coordination.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Contact GM Information Technologies for updates. Consider migrating to alternative software if no fix is forthcoming.

🔧 Temporary Workarounds

Implement Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection rules to block malicious requests.

Network Segmentation

all

Isolate MDO systems from sensitive networks and restrict database access.

🧯 If You Can't Patch

Immediately isolate affected systems from the internet and sensitive internal networks.
Implement strict database permissions, removing unnecessary privileges and using read-only accounts where possible.

🔍 How to Verify

Check if Vulnerable:

Check MDO version against affected range. Test with SQL injection payloads in input fields (only in authorized testing environments).

Check Version:

Check application interface or configuration files for version information specific to MDO deployment.

Verify Fix Applied:

Verify updated version is beyond 20231229. Conduct authorized penetration testing with SQL injection payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual database queries, SQL syntax errors in application logs, multiple failed login attempts with SQL-like payloads

Network Indicators:

HTTP requests containing SQL keywords (SELECT, UNION, etc.) in parameters

SIEM Query:

source="web_logs" AND (url="*SELECT*" OR url="*UNION*" OR url="*OR 1=1*")

📊 Metadata

CVE ID: CVE-2023-4675

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: December 29, 2023

Last Updated: November 21, 2024

🔗 References

https://www.usom.gov.tr/bildirim/tr-23-0742 Third Party Advisory
https://www.usom.gov.tr/bildirim/tr-23-0742 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-4675, you might also want to check these: