CVE-2024-29889
📋 TL;DR
CVE-2024-29889 is a SQL injection vulnerability in GLPI's saved searches feature that allows authenticated users to modify other user accounts and potentially take control of them. This affects GLPI installations prior to version 10.0.15. Attackers can exploit this to escalate privileges and compromise the GLPI system.
💻 Affected Systems
- GLPI
📦 What is this software?
Glpi by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could take over administrative accounts, gain full control of the GLPI instance, access sensitive IT asset data, and potentially pivot to other systems.
Likely Case
An authenticated user with malicious intent could modify other user accounts, change passwords, escalate privileges, and access unauthorized data within the GLPI system.
If Mitigated
With proper network segmentation, limited user permissions, and monitoring, impact would be contained to the GLPI application with limited lateral movement.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. SQL injection in saved searches feature allows account takeover.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.15
Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-8xvf-v6vv-r75g
Restart Required: No
Instructions:
1. Backup your GLPI database and files. 2. Download GLPI 10.0.15 or later from official sources. 3. Follow GLPI upgrade documentation to update your installation. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable Saved Searches Feature
allTemporarily disable the saved searches functionality to prevent exploitation while planning upgrade.
Restrict User Permissions
allLimit user access to only necessary functions and implement principle of least privilege.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate GLPI from other critical systems
- Enable detailed logging and monitoring for SQL injection attempts and unusual user account modifications
🔍 How to Verify
Check if Vulnerable:
Check GLPI version via web interface or by examining the GLPI installation files. Versions below 10.0.15 are vulnerable.Check Version:
In GLPI web interface: Go to Administration > Information > GLPI. Or check the GLPI installation directory for version files.Verify Fix Applied:
Verify GLPI version is 10.0.15 or higher. Check that saved searches functionality works without errors after update.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by successful login from same IP
- User account modifications from non-admin users
- SQL error messages containing user input
Network Indicators:
- Unusual patterns of requests to saved searches endpoints
- POST requests with SQL-like syntax in parameters
SIEM Query:
source="glpi_logs" AND ("savedsearch" OR "search.do") AND ("SQL" OR "syntax" OR "error" OR "union" OR "select")🔗 References
- https://github.com/glpi-project/glpi/commit/0a6b28be4c0f848106c60b554c703ec2e178d6c7
- https://github.com/glpi-project/glpi/security/advisories/GHSA-8xvf-v6vv-r75g
- https://github.com/glpi-project/glpi/commit/0a6b28be4c0f848106c60b554c703ec2e178d6c7
- https://github.com/glpi-project/glpi/security/advisories/GHSA-8xvf-v6vv-r75g
