Attack Chain

1. The attacker identifies a Kados R10 GreenBee instance.
2. The attacker crafts a malicious HTTP request targeting an endpoint that uses the id_project parameter in a SQL query.
3. The attacker injects SQL code into the id_project parameter within the crafted HTTP request. For example, id_project=1' OR '1'='1.
4. The Kados R10 GreenBee application processes the request and executes the injected SQL code against the database.
5. The database server executes the malicious SQL query, potentially returning sensitive information.
6. The attacker retrieves the extracted data from the application’s response.
7. Depending on the injected SQL code, the attacker may modify database records.
8. The attacker may gain unauthorized access to the database and perform further malicious actions.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2019-25702) can lead to unauthorized access to sensitive database information, including user credentials, financial data, and other confidential records. This can result in data breaches, financial loss, reputational damage, and legal liabilities for affected organizations. The vulnerability allows attackers to read and modify data, potentially disrupting business operations. The CVSS v3.1 score of 8.2 highlights the severity of this issue.

Recommendation

• Apply available patches or upgrades for Kados R10 GreenBee to address CVE-2019-25702.
• Deploy the Sigma rule Detect Suspicious SQL Injection Attempts in Kados R10 GreenBee to your SIEM to detect exploitation attempts by monitoring HTTP request parameters.
• Implement input validation and sanitization for all user-supplied data, especially for parameters used in database queries, to prevent SQL injection attacks.
• Monitor web server logs for suspicious activity, such as unusual characters or SQL keywords in the id_project parameter of HTTP requests, as shown in the log source for the Sigma rules below.