CVE-2024-29873
📋 TL;DR
This SQL injection vulnerability in Sentrifugo 3.2 allows remote attackers to execute arbitrary SQL queries through the 'bunitname' parameter in the business units report endpoint. Successful exploitation could lead to complete database compromise, including extraction of sensitive data like user credentials and business information. All organizations running vulnerable Sentrifugo instances are affected.
💻 Affected Systems
- Sentrifugo
📦 What is this software?
Sentrifugo by Sapplica
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, authentication bypass, privilege escalation, and potential remote code execution if database functions allow it.
Likely Case
Extraction of sensitive business data, user credentials, and configuration information from the database.
If Mitigated
Limited impact with proper input validation and parameterized queries in place.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized, and this one requires no authentication, making exploitation straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for latest patched version
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sentrifugo
Restart Required: Yes
Instructions:
1. Backup your current Sentrifugo installation and database
2. Download the latest patched version from official sources
3. Replace vulnerable files with patched versions
4. Restart web server services
5. Verify the fix by testing the vulnerable endpoint
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allImplement WAF rules to block SQL injection patterns targeting the vulnerable endpoint
# Example ModSecurity rule for Apache
SecRule ARGS:bunitname "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt detected'"
# For nginx, use naxsi or similar WAF module
Input Validation Filter
allAdd input validation to sanitize the bunitname parameter before processing
# PHP example for input validation
$bunitname = filter_var($_GET['bunitname'], FILTER_SANITIZE_STRING);
$bunitname = mysqli_real_escape_string($connection, $bunitname);
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Sentrifugo from sensitive systems
- Deploy a web application firewall with SQL injection detection rules
🔍 How to Verify
Check if Vulnerable:
Test the endpoint /sentrifugo/index.php/reports/businessunits/format/html?bunitname=' OR '1'='1 and check for SQL errors or unexpected data in responseCheck Version:
Check Sentrifugo version in configuration files or admin panelVerify Fix Applied:
Attempt the same SQL injection test after patching - should return proper error handling or no data leakage📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in web server logs
- Multiple rapid requests to /sentrifugo/index.php/reports/businessunits/format/html
- Requests containing SQL keywords like UNION, SELECT, INSERT in bunitname parameter
Network Indicators:
- Unusual database query patterns from web server
- Large data exfiltration from database server
SIEM Query:
source="web_server.log" AND (url="/sentrifugo/index.php/reports/businessunits/format/html" AND (param="bunitname" AND value CONTAINS "' OR" OR value CONTAINS "UNION" OR value CONTAINS "SELECT"))