DIVD-NL · vcartman · Oct 17, 2024 · Oct 16, 2024 · Oct 17, 2024 · Oct 17, 2024
diff --git a/_cases/2024/DIVD-2024-00024.md b/_cases/2024/DIVD-2024-00024.md
@@ -0,0 +1,78 @@
+---
+layout: case
+title: "Multiple vulnerabilities found in the SOPlanning tool"
+author: Victor Pasman
+lead: Max van der Horst
+excerpt: "In the SOPlanning Online Planning tool, multiple critical vulnerabilities were found, including an unauthenticated SQL injection. When the non-default public view setting is enabled, it results in several Remote Code Execution (RCE) vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to execute code on the underlying system and access the database."
+researchers:
+- Wietse Boonstra
+- Hidde Smit
+- Max van der Horst
+cves:
+- CVE-2024-27112
+- CVE-2024-27113
+- CVE-2024-27114
+- CVE-2024-27115
+product:
+- SOPlanning Online Planning Tool
+versions: 
+- versions < 1.52.02
+recommendation: "Update to the latest version of SOPlanning Online Planning tool."
+workaround: "None"
+patch_status: None
+status : Closed
+start: 2024-05-29
+end: 2024-10-16
+timeline:
+- start: 2024-05-27
+  end:
+  event: "Vulnerabilities are found by Wietse and Hidde."
+- start: 2024-06-19
+  end:
+  event: "Vulnerabilities reported to vendor."
+- start: 2024-06-19
+  end: 2024-06-19
+  event: "Time to Acknowledge."
+- start: 2024-06-19
+  end:
+  event: "Vendor acknowledges receipt of vulnerabilities."
+- start: 2024-06-19
+  end: 2024-07-04
+  event: "Time to fix."
+- start: 2024-08-08
+  end:
+  event: "Limited disclosure of the vulnerabilities and publishing of CVEs."
+- start: 2024-10-16
+  end:
+  event: "Initial casefile created and published."
+ips: n/a
+---
+
+## Summary
+
+The SOPlanning Online Planning tool up to version 1.52.02 contains several vulnerabilities which can be summarized to:
+- An unauthenticated SQL injection, an attacker can misuse this vulnerability to retrieve information from the database.
+- Two unauthenticated Remote Code Execution (RCE) vulnerabilities, these make it possible for an attacker to upload and execute an executables on the system.
+- Insecure Direct Object Reference, which makes in possible for an attacker to export Database
+
+All of these vulnerabilities would allow an attacker to take control of the underlying system.
+
+## Recommendations
+
+Update to the latest version of SOPlanning tool. If this is not possible, upgrade to version 1.52.02.
+
+## What we are doing
+
+DIVD is currently working to identify parties that are running a version of the SO Planning tool that contain these vulnerabilities and notify these parties. We do this by finding vulnerable SOPlanning Tool systems that are connected to the Internet and verifying the version installed.
+{% include timeline.html %}
+
+## More information
+
+* {% cve CVE-2024-27112 %}
+* {% cve CVE-2024-27113 %}
+* {% cve CVE-2024-27114 %}
+* {% cve CVE-2024-27115 %}
+* [National Vulnerability Database for CVE-2024-27112](https://nvd.nist.gov/vuln/detail/CVE-2024-27112)
+* [National Vulnerability Database for CVE-2024-27113](https://nvd.nist.gov/vuln/detail/CVE-2024-27113)
+* [National Vulnerability Database for CVE-2024-27114](https://nvd.nist.gov/vuln/detail/CVE-2024-27114)
+* [National Vulnerability Database for CVE-2024-27115](https://nvd.nist.gov/vuln/detail/CVE-2024-27115)
diff --git a/_data/cves/2024/CVE-2024-27112.json b/_data/cves/2024/CVE-2024-27112.json
@@ -0,0 +1,216 @@
+{
+  "containers": {
+    "adp": [
+      {
+        "affected": [
+          {
+            "cpes": [
+              "cpe:2.3:a:soplanning:soplanning:*:*:*:*:*:*:*:*"
+            ],
+            "defaultStatus": "unknown",
+            "product": "soplanning",
+            "vendor": "soplanning",
+            "versions": [
+              {
+                "lessThan": "1.52.02",
+                "status": "affected",
+                "version": "0",
+                "versionType": "custom"
+              }
+            ]
+          }
+        ],
+        "metrics": [
+          {
+            "other": {
+              "content": {
+                "id": "CVE-2024-27112",
+                "options": [
+                  {
+                    "Exploitation": "none"
+                  },
+                  {
+                    "Automatable": "yes"
+                  },
+                  {
+                    "Technical Impact": "total"
+                  }
+                ],
+                "role": "CISA Coordinator",
+                "timestamp": "2024-09-11T13:56:02.593465Z",
+                "version": "2.0.3"
+              },
+              "type": "ssvc"
+            }
+          }
+        ],
+        "providerMetadata": {
+          "dateUpdated": "2024-09-11T13:58:58.148Z",
+          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
+          "shortName": "CISA-ADP"
+        },
+        "title": "CISA ADP Vulnrichment"
+      }
+    ],
+    "cna": {
+      "affected": [
+        {
+          "collectionURL": "https://sourceforge.net/projects/soplanning/",
+          "defaultStatus": "unaffected",
+          "product": "SO Planning",
+          "vendor": "Simple Online Planning",
+          "versions": [
+            {
+              "status": "affected",
+              "version": "before 1.52.01"
+            }
+          ]
+        }
+      ],
+      "configurations": [
+        {
+          "lang": "en",
+          "supportingMedia": [
+            {
+              "base64": false,
+              "type": "text/html",
+              "value": "The public view setting must be enabled."
+            }
+          ],
+          "value": "The public view setting must be enabled."
+        }
+      ],
+      "credits": [
+        {
+          "lang": "en",
+          "type": "finder",
+          "value": "Wietse Boonstra"
+        },
+        {
+          "lang": "en",
+          "type": "finder",
+          "value": "Hidde Smit"
+        },
+        {
+          "lang": "en",
+          "type": "analyst",
+          "value": "Max van der Horst"
+        }
+      ],
+      "descriptions": [
+        {
+          "lang": "en",
+          "supportingMedia": [
+            {
+              "base64": false,
+              "type": "text/html",
+              "value": "A unauthenticated SQL Injection has been found in the SO Planning tool that occurs when the public view setting is enabled. An attacker could use this vulnerability to gain access to the underlying database. The vulnerability has been remediated in version 1.52.02.&nbsp;"
+            }
+          ],
+          "value": "A unauthenticated SQL Injection has been found in the SO Planning tool that occurs when the public view setting is enabled. An attacker could use this vulnerability to gain access to the underlying database. The vulnerability has been remediated in version 1.52.02."
+        }
+      ],
+      "impacts": [
+        {
+          "capecId": "CAPEC-66",
+          "descriptions": [
+            {
+              "lang": "en",
+              "value": "CAPEC-66 SQL Injection"
+            }
+          ]
+        }
+      ],
+      "metrics": [
+        {
+          "cvssV4_0": {
+            "Automatable": "YES",
+            "Recovery": "USER",
+            "Safety": "NEGLIGIBLE",
+            "attackComplexity": "LOW",
+            "attackRequirements": "NONE",
+            "attackVector": "NETWORK",
+            "baseScore": 9.3,
+            "baseSeverity": "CRITICAL",
+            "privilegesRequired": "NONE",
+            "providerUrgency": "RED",
+            "subAvailabilityImpact": "NONE",
+            "subConfidentialityImpact": "NONE",
+            "subIntegrityImpact": "NONE",
+            "userInteraction": "NONE",
+            "valueDensity": "CONCENTRATED",
+            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/AU:Y/R:U/V:C/RE:M/U:Red",
+            "version": "4.0",
+            "vulnAvailabilityImpact": "HIGH",
+            "vulnConfidentialityImpact": "HIGH",
+            "vulnIntegrityImpact": "HIGH",
+            "vulnerabilityResponseEffort": "MODERATE"
+          },
+          "format": "CVSS",
+          "scenarios": [
+            {
+              "lang": "en",
+              "value": "GENERAL"
+            }
+          ]
+        }
+      ],
+      "problemTypes": [
+        {
+          "descriptions": [
+            {
+              "cweId": "CWE-89",
+              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
+              "lang": "en",
+              "type": "CWE"
+            }
+          ]
+        }
+      ],
+      "providerMetadata": {
+        "dateUpdated": "2024-09-11T13:41:16.813Z",
+        "orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
+        "shortName": "DIVD"
+      },
+      "references": [
+        {
+          "tags": [
+            "third-party-advisory"
+          ],
+          "url": "https://csirt.divd.nl/CVE-2024-27112"
+        }
+      ],
+      "source": {
+        "discovery": "EXTERNAL"
+      },
+      "title": "SQL Injection in SOPlanning before 1.52.02",
+      "workarounds": [
+        {
+          "lang": "en",
+          "supportingMedia": [
+            {
+              "base64": false,
+              "type": "text/html",
+              "value": "Disable the public view setting."
+            }
+          ],
+          "value": "Disable the public view setting."
+        }
+      ],
+      "x_generator": {
+        "engine": "Vulnogram 0.2.0"
+      }
+    }
+  },
+  "cveMetadata": {
+    "assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
+    "assignerShortName": "DIVD",
+    "cveId": "CVE-2024-27112",
+    "datePublished": "2024-09-11T13:41:16.813Z",
+    "dateReserved": "2024-02-19T19:21:08.620Z",
+    "dateUpdated": "2024-09-11T13:58:58.148Z",
+    "state": "PUBLISHED"
+  },
+  "dataType": "CVE_RECORD",
+  "dataVersion": "5.1"
+}