CVE-2022-44014 in Lieferantenmanager
Summary
by MITRE • 12/25/2022
An issue was discovered in Simmeth Lieferantenmanager before 5.6. In the design of the API, a user is inherently able to fetch arbitrary SQL tables. This leaks all user passwords and MSSQL hashes via /DS/LM_API/api/SelectionService/GetPaggedTab.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/24/2023
This vulnerability exists in the Simmeth Lieferantenmanager software version 5.6 and earlier, representing a critical authorization flaw that allows any authenticated user to execute arbitrary SQL queries against the underlying Microsoft SQL Server database. The issue stems from improper input validation and insufficient access controls within the API endpoint /DS/LM_API/api/SelectionService/GetPaggedTab which processes user requests without adequate sanitization of parameters that control database table selection. The vulnerability enables a malicious actor to construct SQL injection payloads that bypass normal database access restrictions and retrieve sensitive information from any table within the database schema.
The technical implementation of this flaw demonstrates a classic case of insecure direct object reference combined with SQL injection, where user-supplied parameters are directly incorporated into SQL query construction without proper escaping or validation. According to CWE-285, this represents an authorization bypass vulnerability where the application fails to properly enforce access controls, and the CWE-89 classification applies due to the SQL injection component that allows arbitrary query execution. The vulnerability operates at the application layer and requires only basic authentication credentials to exploit, making it particularly dangerous as it can be leveraged by any user with legitimate access to the system.
The operational impact of this vulnerability is severe and multifaceted, as it provides attackers with the ability to extract all user credentials and authentication hashes stored within the MSSQL database. This includes plain text passwords, encrypted hashes, and potentially other sensitive user information that could be used for lateral movement within the network or for credential reuse attacks. The exposure of MSSQL hashes specifically enables attackers to potentially perform pass-the-hash attacks or crack password hashes offline, depending on the hashing algorithm used. This vulnerability directly maps to ATT&CK technique T1078 which covers valid accounts and T1566 which covers credential access through exploitation of vulnerabilities.
Organizations should immediately implement several mitigation strategies to address this vulnerability. The most critical immediate action involves patching the software to version 5.6 or later where the API endpoint has been properly secured with input validation and proper access control mechanisms. Additionally, network segmentation should be implemented to limit access to the API endpoints, and database permissions should be strictly limited to only those users who require specific table access. The implementation of web application firewalls and database activity monitoring systems can help detect and prevent exploitation attempts. Regular security audits of API endpoints and input validation mechanisms should be conducted to identify similar vulnerabilities, and principle of least privilege should be enforced across all database access points to minimize potential damage from future incidents.