Skip to content

Commit

Permalink
Merge pull request #854 from DIVD-NL/soplanning_casefile
Browse files Browse the repository at this point in the history 
soplanning casefile
  • Loading branch information
@vcartman
vcartman authored Oct 17, 2024
2 parents de5f3f1 + efac5d6 commit 0b3f8e1
Show file tree
Hide file tree
Showing 5 changed files with 864 additions and 0 deletions.
78 changes: 78 additions & 0 deletions _cases/2024/DIVD-2024-00024.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
---
layout: case
title: "Multiple vulnerabilities found in the SOPlanning tool"
author: Victor Pasman
lead: Max van der Horst
excerpt: "In the SOPlanning Online Planning tool, multiple critical vulnerabilities were found, including an unauthenticated SQL injection. When the non-default public view setting is enabled, it results in several Remote Code Execution (RCE) vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to execute code on the underlying system and access the database."
researchers:
- Wietse Boonstra
- Hidde Smit
- Max van der Horst
cves:
- CVE-2024-27112
- CVE-2024-27113
- CVE-2024-27114
- CVE-2024-27115
product:
- SOPlanning Online Planning Tool
versions:
- versions < 1.52.02
recommendation: "Update to the latest version of SOPlanning Online Planning tool."
workaround: "None"
patch_status: None
status : Closed
start: 2024-05-29
end: 2024-10-16
timeline:
- start: 2024-05-27
end:
event: "Vulnerabilities are found by Wietse and Hidde."
- start: 2024-06-19
end:
event: "Vulnerabilities reported to vendor."
- start: 2024-06-19
end: 2024-06-19
event: "Time to Acknowledge."
- start: 2024-06-19
end:
event: "Vendor acknowledges receipt of vulnerabilities."
- start: 2024-06-19
end: 2024-07-04
event: "Time to fix."
- start: 2024-08-08
end:
event: "Limited disclosure of the vulnerabilities and publishing of CVEs."
- start: 2024-10-16
end:
event: "Initial casefile created and published."
ips: n/a
---

## Summary

The SOPlanning Online Planning tool up to version 1.52.02 contains several vulnerabilities which can be summarized to:
- An unauthenticated SQL injection, an attacker can misuse this vulnerability to retrieve information from the database.
- Two unauthenticated Remote Code Execution (RCE) vulnerabilities, these make it possible for an attacker to upload and execute an executables on the system.
- Insecure Direct Object Reference, which makes in possible for an attacker to export Database

All of these vulnerabilities would allow an attacker to take control of the underlying system.

## Recommendations

Update to the latest version of SOPlanning tool. If this is not possible, upgrade to version 1.52.02.

## What we are doing

DIVD is currently working to identify parties that are running a version of the SO Planning tool that contain these vulnerabilities and notify these parties. We do this by finding vulnerable SOPlanning Tool systems that are connected to the Internet and verifying the version installed.
{% include timeline.html %}

## More information

* {% cve CVE-2024-27112 %}
* {% cve CVE-2024-27113 %}
* {% cve CVE-2024-27114 %}
* {% cve CVE-2024-27115 %}
* [National Vulnerability Database for CVE-2024-27112](https://nvd.nist.gov/vuln/detail/CVE-2024-27112)
* [National Vulnerability Database for CVE-2024-27113](https://nvd.nist.gov/vuln/detail/CVE-2024-27113)
* [National Vulnerability Database for CVE-2024-27114](https://nvd.nist.gov/vuln/detail/CVE-2024-27114)
* [National Vulnerability Database for CVE-2024-27115](https://nvd.nist.gov/vuln/detail/CVE-2024-27115)
216 changes: 216 additions & 0 deletions _data/cves/2024/CVE-2024-27112.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,216 @@
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:soplanning:soplanning:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "soplanning",
"vendor": "soplanning",
"versions": [
{
"lessThan": "1.52.02",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27112",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T13:56:02.593465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T13:58:58.148Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://sourceforge.net/projects/soplanning/",
"defaultStatus": "unaffected",
"product": "SO Planning",
"vendor": "Simple Online Planning",
"versions": [
{
"status": "affected",
"version": "before 1.52.01"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The public view setting must be enabled."
}
],
"value": "The public view setting must be enabled."
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Wietse Boonstra"
},
{
"lang": "en",
"type": "finder",
"value": "Hidde Smit"
},
{
"lang": "en",
"type": "analyst",
"value": "Max van der Horst"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A unauthenticated SQL Injection has been found in the SO Planning tool that occurs when the public view setting is enabled. An attacker could use this vulnerability to gain access to the underlying database. The vulnerability has been remediated in version 1.52.02.&nbsp;"
}
],
"value": "A unauthenticated SQL Injection has been found in the SO Planning tool that occurs when the public view setting is enabled. An attacker could use this vulnerability to gain access to the underlying database. The vulnerability has been remediated in version 1.52.02."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "RED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/AU:Y/R:U/V:C/RE:M/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T13:41:16.813Z",
"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"shortName": "DIVD"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/CVE-2024-27112"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SQL Injection in SOPlanning before 1.52.02",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Disable the public view setting."
}
],
"value": "Disable the public view setting."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"assignerShortName": "DIVD",
"cveId": "CVE-2024-27112",
"datePublished": "2024-09-11T13:41:16.813Z",
"dateReserved": "2024-02-19T19:21:08.620Z",
"dateUpdated": "2024-09-11T13:58:58.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading

0 comments on commit 0b3f8e1

Please sign in to comment.