Login Sign Up

CVE-2024-38289

9.8 CRITICAL
SQL Injection Authentication Bypass

📋 TL;DR

This is a critical SQL injection vulnerability in R-HUB TurboMeeting's Virtual Meeting Password endpoint that allows unauthenticated remote attackers to extract password hashes from the database. Attackers can use these hashed passwords to authenticate to the application and potentially gain unauthorized access. All systems running TurboMeeting through version 8.x are affected.

💻 Affected Systems

Products:
  • R-HUB TurboMeeting
Versions: Through 8.x
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: The VMP endpoint is typically exposed by default in TurboMeeting installations.

📦 What is this software?

Turbomeeting by Rhubcom

View all CVEs affecting Turbomeeting →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the TurboMeeting system, unauthorized access to all meetings, potential lateral movement to connected systems, and data exfiltration.

🟠

Likely Case

Unauthenticated attackers extract password hashes, crack weak passwords, and gain unauthorized access to meetings and administrative functions.

🟢

If Mitigated

Attackers can detect the vulnerability but cannot successfully exploit due to input validation or WAF protections.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is boolean-based SQL injection, which is well-understood and has public proof-of-concept available in the Google advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 9.0 or later

Vendor Advisory: https://www.rhubcom.com/v5/manuals.html

Restart Required: Yes

Instructions:

1. Download TurboMeeting version 9.0 or later from R-HUB website. 2. Backup current configuration and data. 3. Install the new version following vendor instructions. 4. Restart the TurboMeeting service.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules to block malicious requests to the VMP endpoint.

Network Segmentation

all

Restrict access to TurboMeeting server to trusted networks only.

🧯 If You Can't Patch

  • Implement strict input validation and parameterized queries for the VMP endpoint
  • Disable or restrict access to the VMP endpoint if not required

🔍 How to Verify

Check if Vulnerable:

Check if TurboMeeting version is 8.x or earlier by accessing the admin interface or checking installed version.

Check Version:

Check TurboMeeting admin interface or installation directory for version information

Verify Fix Applied:

Verify installation of TurboMeeting version 9.0 or later and test the VMP endpoint with SQL injection payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple failed authentication attempts followed by successful login
  • Requests to VMP endpoint with SQL keywords

Network Indicators:

  • HTTP requests containing SQL injection patterns to /vmp endpoint
  • Unusual traffic patterns to TurboMeeting server

SIEM Query:

source="turbo-meeting.log" AND ("SQL" OR "syntax" OR "error" OR "vmp")

📊 Metadata

CVE ID: CVE-2024-38289
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: July 25, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38289, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)