CVE-2024-33872
📋 TL;DR
This SQL injection vulnerability in Keyfactor Command allows attackers to execute arbitrary SQL commands on the database. Successful exploitation could lead to remote code execution and privilege escalation. Organizations running affected versions of Keyfactor Command 10.5.x before 10.5.1 or 11.5.x before 11.5.1 are at risk.
💻 Affected Systems
- Keyfactor Command
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative access, data exfiltration, and persistent backdoor installation across the PKI infrastructure.
Likely Case
Database compromise leading to certificate authority manipulation, unauthorized certificate issuance, and privilege escalation within the Keyfactor platform.
If Mitigated
Limited impact with proper input validation, database permissions, and network segmentation preventing lateral movement.
🎯 Exploit Status
SQL injection vulnerabilities are commonly weaponized. While no public exploit exists, the CVSS 9.8 score indicates trivial exploitation for authenticated users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.5.1 or 11.5.1
Vendor Advisory: https://trust.keyfactor.com/?itemUid=d73921fd-bc9e-4e35-a974-cfb628e6a226&source=click
Restart Required: Yes
Instructions:
1. Backup your Keyfactor Command database and configuration. 2. Download the appropriate patch version from Keyfactor support portal. 3. Apply the patch following Keyfactor's upgrade documentation. 4. Restart all Keyfactor Command services. 5. Verify the version shows 10.5.1 or 11.5.1.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to Keyfactor Command web interface to only trusted administrative networks.
Database Permission Reduction
allLimit the database user permissions used by Keyfactor Command to only necessary operations.
🧯 If You Can't Patch
- Implement strict input validation at the web application firewall level
- Monitor database logs for unusual SQL queries and implement alerting
🔍 How to Verify
Check if Vulnerable:
Check the Keyfactor Command version in the web interface under Administration > System Information or via the API endpoint /api/v1/system/infoCheck Version:
curl -k -H "Authorization: Bearer <token>" https://<keyfactor-host>/api/v1/system/info | grep versionVerify Fix Applied:
Confirm version shows 10.5.1 or 11.5.1 in the web interface and test that SQL injection payloads no longer execute📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by SQL-like patterns in web logs
- Unexpected database user privilege changes
Network Indicators:
- SQL injection patterns in HTTP requests to Keyfactor endpoints
- Unusual outbound database connections from Keyfactor server
SIEM Query:
source="keyfactor-web.log" AND ("UNION" OR "SELECT" OR "INSERT" OR "UPDATE" OR "DELETE" OR "EXEC" OR "xp_cmdshell")