CVE-2024-27112
📋 TL;DR
An unauthenticated SQL injection vulnerability exists in SO Planning tool when public view is enabled, allowing attackers to execute arbitrary SQL commands on the database. This affects all organizations using vulnerable versions of SO Planning with public view enabled. Attackers can potentially access, modify, or delete sensitive database information.
💻 Affected Systems
- SO Planning
📦 What is this software?
Soplanning by Soplanning
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data exfiltration, data destruction, privilege escalation to system level, and potential lateral movement to other systems.
Likely Case
Data theft of sensitive planning information, user credentials, and organizational data stored in the database.
If Mitigated
Limited impact if database permissions are properly restricted, but still potential for data leakage from accessible tables.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized. Unauthenticated access makes exploitation trivial for attackers who discover the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.52.02
Vendor Advisory: https://csirt.divd.nl/CVE-2024-27112
Restart Required: Yes
Instructions:
1. Download SO Planning version 1.52.02 or later from official sources. 2. Backup current installation and database. 3. Stop SO Planning service. 4. Install/upgrade to version 1.52.02. 5. Restart SO Planning service. 6. Verify functionality.
🔧 Temporary Workarounds
Disable Public View
allDisable the public view setting in SO Planning configuration to prevent unauthenticated access to vulnerable endpoints.
Edit SO Planning configuration file to set public_view = false or equivalent setting
Network Access Control
linuxRestrict network access to SO Planning instance using firewall rules to only allow trusted IP addresses.
iptables -A INPUT -p tcp --dport [SO_PLANNING_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [SO_PLANNING_PORT] -j DROP
🧯 If You Can't Patch
- Disable public view setting immediately to prevent unauthenticated exploitation
- Implement WAF rules to block SQL injection patterns targeting SO Planning endpoints
🔍 How to Verify
Check if Vulnerable:
Check if public view is enabled in SO Planning configuration and version is below 1.52.02Check Version:
Check SO Planning web interface or configuration files for version informationVerify Fix Applied:
Verify version is 1.52.02 or higher and test SQL injection attempts are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs
- Multiple failed SQL query attempts from single IP
- Requests with SQL keywords (SELECT, UNION, etc.) in parameters
Network Indicators:
- Unusual database connection patterns from application server
- Large data exfiltration from database server
SIEM Query:
source="so_planning.log" AND ("sql error" OR "syntax error" OR "union select")