CVE-2020-15008 in Automate
Summary
by MITRE
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user supplied table name with little validation, the table name can be modified to allow arbitrary update commands to be run. Usage of other SQL injection techniques such as timing attacks, it is possible to perform full data extraction as well. Patched in 2020.7 and in a hotfix for 2019.12.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/29/2020
The vulnerability identified as CVE-2020-15008 represents a critical SQL injection flaw within the Connectwise Automate platform that affects versions prior to 2020.7 and 2019.12. This security weakness resides in the probe code implementation responsible for saving data to custom tables, creating a pathway for malicious actors to exploit the system's database interactions. The vulnerability stems from inadequate server-side validation mechanisms that fail to properly sanitize user-supplied inputs before incorporating them into dynamic SQL queries.
The technical exploitation of this vulnerability occurs through the dynamic SQL construction process where the application generates insert statements using user-provided table names with minimal validation checks. This design flaw allows attackers to manipulate the table name parameter to inject malicious SQL commands that can execute arbitrary update operations against the database. The lack of proper input sanitization and parameterized query usage creates an environment where attackers can bypass normal database access controls and execute unauthorized operations.
The operational impact of this vulnerability extends beyond simple data manipulation to include comprehensive data extraction capabilities. Attackers can leverage various SQL injection techniques including timing attacks to systematically extract sensitive information from the database without leaving obvious traces. This comprehensive attack surface enables unauthorized access to confidential data, potential system compromise, and disruption of business operations. The vulnerability affects the core functionality of the Connectwise Automate platform, which is widely used for remote monitoring and management of IT infrastructure.
The remediation for CVE-2020-15008 was implemented through patches released in version 2020.7 and a targeted hotfix for the 2019.12 release. These updates addressed the root cause by implementing proper input validation and parameterized query construction techniques to prevent user-supplied table names from being directly incorporated into SQL statements. Organizations should prioritize immediate deployment of these patches to mitigate the risk of exploitation. The vulnerability aligns with CWE-89 which specifically addresses SQL injection flaws, and represents a significant concern from an ATT&CK framework perspective under the T1190 technique for exploiting vulnerabilities in remote services.
Security practitioners should implement additional monitoring measures to detect potential exploitation attempts and establish network segmentation to limit the attack surface. The vulnerability demonstrates the critical importance of input validation and proper database query construction practices, particularly when dealing with dynamic SQL generation and user-supplied data. Organizations using Connectwise Automate should conduct thorough security assessments to identify any potential exploitation attempts and ensure that all systems are updated to the patched versions. The incident highlights the necessity of maintaining up-to-date security practices and the importance of validating all user inputs before processing them in database operations.