CVE-2023-45684 - Mission Portal SQL injection vulnerability

Posted by Lars Erik Wik
November 13, 2023

We want to bring to your attention a critical security matter recently identified in CFEngine Enterprise version 3.6.0 and subsequent releases. This vulnerability pertains to a A03:2021 - Injection flaw within the CFEngine Enterprise web UI, Mission Portal, which can lead to unauthorized access to the underlying database. The CVE identifier CVE-2023-45684 has been assigned to this issue. At present, there is no evidence to suggest that this vulnerability has been exploited or that it was known beyond the CFEngine development team and the customer who brought it to our attention.

Explanation

Our vigilant CFEngine customers, Chad DeGuira and Jim Trater at the Oak Ridge National Laboratory, recently uncovered a vulnerability while scanning their attack surface. During their scan, they identified an unusual delay in the response time from the CFEngine Mission Portal login page. This delay raised concerns that an attacker might have the potential to manipulate the application’s behavior and gain direct access to the underlying database.

Impact

In response to this discovery, we conducted an internal penetration test to assess the severity of the vulnerability. Our testing confirmed that the Mission Portal login page was indeed susceptible to SQL injection, specifically of the time-based variety. This means that you cannot send queries to dump the database tables directly (with the common SELECT <column> FROM <table> statement). This is due to the fact that the queried results are not relayed in the servers response to the API request.

However, since the input is not properly sanitized, you can still craft special queries, testing for logical conditions AND‘ed with a call to the PG_SLEEP ( interval ), a function designed to delay the execution. By observing the time it takes for the server to respond, we can determine whether the first condition was true. This way we can slowly deduct the contents of the database, usually done one character at the time, making it a really slow process.

By utilizing this vulnerability we were able to dump the contents of the entire underlying database, including tables storing confidential information such as access tokens and salted password hashes. Thus, we consider this vulnerability a significant concern that warrants immediate attention and remediation. An overall severity score of 7.5 (high severity) has been calculated using the following severity vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remediation

To mitigate this risk, we strongly recommend installing one of the latest versions of the CFEngine hub packages as listed on our download pages. The recently released CFEngine Enterprise versions 3.18.6 and 3.21.3 include the necessary fixes to address this vulnerability. It’s important to note that this issue exclusively affects the CFEngine hub. Thus, by installing the updated hub package, you can effectively remediate the issue. For more information on how to upgrade an existing CFEngine installation, please see our documentation.

We appreciate your continued trust in CFEngine, and we are committed to ensuring the security and reliability of our software. If you have any questions or require further assistance, please don’t hesitate to reach out to our support team.

Get in touch with us
to discuss how we can help!
Contact us
Sign up for
our newsletter
By signing up, you agree to your email address being stored and used to receive newsletters about CFEngine. We use tracking in our newsletter emails to improve our marketing content.