CVE-2024-6912 – This vulnerability involves hard-coded MSSQL cr... (How to Fix)

📋 TL;DR

This vulnerability involves hard-coded MSSQL credentials in PerkinElmer ProcessPlus software on Windows, allowing attackers to remotely authenticate to the database server. All installations running affected versions are vulnerable, potentially exposing sensitive process data and system control.

💻 Affected Systems

Products:

PerkinElmer ProcessPlus

Versions: through 1.11.6507.0

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with default configuration are vulnerable. Requires MSSQL database component.

📦 What is this software?

Processplus by Perkinelmer

View all CVEs affecting Processplus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the MSSQL database, allowing data exfiltration, manipulation of industrial process data, and potential lateral movement to other systems.

🟠

Likely Case

Unauthorized access to process data, configuration tampering, and potential disruption of industrial operations.

🟢

If Mitigated

Limited impact if network segmentation prevents external access and credentials are changed.

🌐 Internet-Facing: HIGH - If exposed to internet, attackers can directly exploit using known credentials.

🏢 Internal Only: HIGH - Internal attackers or compromised systems can easily exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only knowledge of hard-coded credentials and network access to MSSQL port (default 1433).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not provided in references

Restart Required: No

Instructions:

1. Contact PerkinElmer for updated version beyond 1.11.6507.0
2. Apply vendor-provided patch when available
3. Test in non-production environment first

🔧 Temporary Workarounds

Change MSSQL Credentials

windows

Manually change the hard-coded MSSQL credentials in ProcessPlus configuration

-- Requires manual configuration change in ProcessPlus settings
-- Consult PerkinElmer documentation for credential location

Network Segmentation

windows

Restrict access to MSSQL port (1433) to only trusted systems

netsh advfirewall firewall add rule name="Block MSSQL External" dir=in action=block protocol=TCP localport=1433 remoteip=any

🧯 If You Can't Patch

Implement strict network segmentation to isolate ProcessPlus systems from untrusted networks
Change MSSQL credentials immediately and monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check ProcessPlus version in About dialog or installation directory. If version is 1.11.6507.0 or earlier, system is vulnerable.

Check Version:

Check ProcessPlus executable properties or About menu within the application

Verify Fix Applied:

Verify ProcessPlus version is above 1.11.6507.0 and test MSSQL authentication with old credentials fails.

📡 Detection & Monitoring

Log Indicators:

Failed MSSQL authentication attempts from unexpected sources
Successful logins with default/hard-coded credentials
Unusual database queries or access patterns

Network Indicators:

Connection attempts to MSSQL port (1433) from unauthorized IPs
Traffic patterns indicating database enumeration or exfiltration

SIEM Query:

source="mssql" AND (event_id=18454 OR event_id=18456) AND user="[hard-coded-username]"

📊 Metadata

CVE ID: CVE-2024-6912

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: July 22, 2024

Last Updated: November 21, 2024

🔗 References

http://seclists.org/fulldisclosure/2024/Jul/13 Exploit,Mailing List,Third Party Advisory
https://cyberdanube.com/en/en-multiple-vulnerabilities-in-perten-processplus/ Exploit,Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jul/13 Exploit,Mailing List,Third Party Advisory
https://cyberdanube.com/en/en-multiple-vulnerabilities-in-perten-processplus/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6912, you might also want to check these: