CVE-2024-45387 is a critical SQL injection vulnerability in Apache Traffic Control’s Traffic Ops component. This flaw allows privileged users to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, and system compromise. Threat actors are actively discussing and sharing exploits for this vulnerability in underground forums, increasing the risk for organizations using affected versions. To mitigate this threat, it is essential for organizations to upgrade to version 8.0.2 or later, apply proper input validation, and take immediate action to protect their networks and data from potential exploitation.
Apache Traffic Control’s Traffic Ops is a RESTful API service used for the management and monitoring of all servers in a Content Delivery Network (CDN). It serves as the central point for configuration, authentication, and interaction with other components of Apache Traffic Control. Traffic Ops stores configuration information in a PostgreSQL database and provides interfaces for managing and monitoring the CDN. With a CVSS score of 9.9, it poses significant risks, including data breaches, unauthorized access, and potential system takeover, and has been addressed in version 8.0.2.
Key Takeaways:
CVE-2024-45387 is an SQL injection vulnerability in Apache Traffic Control’s Traffic Ops component, affecting versions 8.0.0 and 8.0.1, allowing attackers to execute arbitrary SQL queries on the backend database.
The vulnerability can be exploited by users with privileged roles (such as admin, federation, operations, portal, or steering) to compromise sensitive data, escalate privileges, or disrupt services.
The flaw can be exploited by users with high-level roles such as “admin”, “federation”, “operations”, “portal” or “steering”, giving them the ability to execute malicious SQL queries.
Acknowledgements:
The CYFIRMA Research team acknowledges security researchers who responsibly disclosed this vulnerability.
Vulnerability Type: It leads to SQL injection vulnerabilities or unauthorized access.
CVE ID: CVE-2024-45387
CVSS Severity Score: 9.9
Application: Apache
Impact: Allow high privileges to execute arbitrary SQL injection.
Severity: CRITICAL
Affected Versions: Apache Traffic Control 8.0.0 and 8.0.1.
Patch Available: YES
CVE-2024-45387 is a critical SQL injection vulnerability in the Traffic Ops component of Apache Traffic Control. This vulnerability allows privileged users (such as those with “admin”, “federation”, “operations”, “portal” or “steering” roles) to send specially crafted PUT requests that inject malicious SQL code into the backend database. Because Traffic Ops improperly handles user input, attackers can exploit this flaw to execute arbitrary SQL queries, leading to potential data breaches, unauthorized access, data modification, or even complete system takeover. The issue has been fixed in version 8.0.2 of Apache Traffic Control.
The CVE-2024-45387 Apache Traffic Control’s Traffic Ops allows privileged users to execute arbitrary SQL queries on the backend database. This can lead to severe impacts such as data breaches, unauthorized access, data corruption, and potentially a full system compromise, making it a critical security risk for organizations using affected versions (8.0.0 and 8.0.1).
The affected versions of Apache Traffic Control are 8.0.0 and 8.0.1. Users running these versions of the Traffic Ops component are vulnerable to the SQL injection flaw identified as CVE-2024-45387. The issue has been addressed in version 8.0.2.
Is there already an exploit tool to attack this vulnerability?
Yes, an exploit tool for CVE-2024-45387 exists, which can be used to exploit the SQL injection vulnerability by sending specially crafted PUT requests to the vulnerable Traffic Ops component. These tools allow attackers with privileged access to execute arbitrary SQL queries, potentially compromising sensitive data and system integrity.
Has this vulnerability already been used in an attack?
As of now, there are no reports of CVE-2024-45387 being actively exploited in the wild. However, given its critical nature and the availability of exploit tools, it is highly recommended for organizations using affected versions (8.0.0 and 8.0.1) to upgrade to version 8.0.2 to prevent potential attacks.
Are hackers discussing this vulnerability in the Deep/Dark Web?
Yes, it’s possible that hackers may be discussing CVE-2024-45387 in the deep or dark web, especially considering its high severity (CVSS score of 9.9) and potential for exploitation. Vulnerabilities of this nature often attract attention from cybercriminals who seek to exploit them for malicious purposes.
What is the attack complexity level?
The attack complexity level for CVE-2024-45387 is considered critical. The vulnerability allows privileged access to execute arbitrary SQL queries or access sensitive files with minimal effort, making it highly exploitable, especially since the affected versions are widely used.
CVE-2024-45387 is a critical SQL injection vulnerability in Apache Traffic Control’s Traffic Ops that allows attackers to exploit improperly sanitized user input to execute arbitrary SQL commands. The vulnerability exists in the /api/5.0/deliveryservice_request_comments endpoint, where the id parameter is vulnerable to injection. Attackers leverage this weakness by appending SQL payloads, such as those using PostgreSQL’s pg_sleep() function, to manipulate the underlying database queries. By crafting specific payloads within a PUT request, the attacker can infer sensitive information about the database, such as the current_user, through timing-based techniques.
The exploitation process employs time-based blind SQL injection due to the absence of direct query outputs in the server response. The attacker constructs payloads that use conditional logic (CASE WHEN) to evaluate specific database conditions, introducing deliberate delays when the condition is true. For instance, to determine the length of the current_user, the payload injects:
If the guessed length is correct, the server delays its response by 3 seconds, revealing the length. This process is then extended to extract the value of current_user one character at a time. The script uses the substring() function to test each character at every position. A similar conditional payload is injected, where {i} denotes the character position, and {x} represents a character from the ASCII printable set. The server’s delayed response confirms a match, allowing the attacker to reconstruct the entire string.
This exploitation highlights the vulnerability’s severity, as attackers can extract sensitive information without triggering obvious errors or alerts. The blind nature of the SQL injection, combined with the timing-based inference, makes it challenging to detect through conventional logging unless response times are specifically monitored. Such exploitation could further allow an attacker to escalate privileges or manipulate database contents, depending on the database user’s permissions.
Patch Immediately: Users should upgrade to Apache Traffic Control version 8.0.2 or later to mitigate the risk of this SQL injection.
Input Validation: Ensure that all user inputs are sanitized, particularly those passed through PUT requests.
Use Prepared Statements: Avoid directly concatenating user inputs into SQL queries. Use parameterized queries or prepared statements to prevent injection attacks.
Least Privilege: Restrict access to sensitive functions based on the user’s role, ensuring that only authorized users can access critical endpoints.
Target Geography:
CVE-2024-45387 is a critical vulnerability in Apache Traffic Control’s Traffic Ops component, posing risks across various regions such as the United States, Australia, China, India, and more. As a result, organizations globally must prioritize patching and implementing robust mitigation measures to protect their systems. Taking these steps will enhance defenses and protect sensitive data from emerging threats.
Target Industry:
The CVE-2024-45387 vulnerability affects industries including telecommunications, critical infrastructure, government, and technology, as well as any organization using the impacted devices or systems. It primarily targets web applications, network devices, and databases, underscoring the need for organizations globally to prioritize patching and implement robust mitigation measures.
Target Technology:
CVE-2024-45387 specifically affects the Traffic Ops component of Apache Traffic Control, but its impact extends to any systems or devices utilizing similar web-based management interfaces for network infrastructure. The increasing discussions in underground forums and the availability of proof-of-concept exploits underscore the critical urgency for organizations to assess and address the risks posed by outdated and unsupported technologies within their environments. Prompt action to mitigate these vulnerabilities is essential to safeguard networks and prevent potential exploitation.
Presently, discussions surrounding the vulnerability in Apache Traffic Control version are ongoing, with some participants discussing the possibility of offering exploits on forums. Additionally, there are conversations regarding how the proof-of-concept (PoC) works and its potential implications.
CVE-2024-45387 represents a significant security threat to organizations using vulnerable versions of Apache Traffic Control’s Traffic Ops component. The ability for privileged users to exploit this SQL injection vulnerability poses serious risks, including unauthorized access, data breaches, and potential system compromise. With threat actors actively discussing and sharing exploits in underground forums, the urgency to address this issue is heightened. Organizations must prioritize upgrading to version 8.0.2 or later, implement robust security measures, and monitor for any signs of exploitation to protect their networks, data, and systems from potential harm.