A Proof-of-Concept script showcasing the exploitation of a critical vulnerability in Microsoft Configuration Manager (ConfigMgr) was released. The PoC demonstrated that the flaw allowed remote code execution, posing a security risk to organisations using the system management software.
The vulnerability tracked as CVE-2024-43468 was given a CVSS score of 9.8. The flaw comes from two unauthorised SQL injection flaws in the ‘MP_Location’ service of ConfigMgr. It is a result of improper input sanitisation while processing messages of users. The RCE flaw impacts versions 2403, 2309 and 2303 of ConfigMgr, which have not been updated with the critical patch KB29166583. While attackers need network access to a management point to exploit it, authentication and user interaction is still possible.
The PoC script released by SynACKTIV researchers showcased the two following attack vectors:
- MachineID command injection: Malicious SQL commands could be injected into the, ‘SourceID’ field of an XML message exploiting the flawed ‘getMachineID’ function.
- ContentID exploitation: A valid MachineID acquired from the system base could be used to target the ‘getContentID’ function.
Threat actors can use the two attack methods to create sysadmin accounts and remotely execute commands on the underlying server. Unauthorised access would grant attackers full control of the ConfigMgr database and contents, putting sensitive information at risk. Through privilege escalation, it would be possible to execute ransomware and malicious payloads across the managed systems.
The attack vectors allow the execution of arbitrary SQL queries on the database with sysadmin privileges via the activation of the ‘xp_cmdshell’ procedure.
Attempts to exploit CVE-2024-43468 are challenging to detect due to no clear traces of SQL injection payloads in log files. Unusual activity such as errors in ‘MP_Location.log’ may be a sign of exploitation attempts.
To mitigate the vulnerability, organisations and systems using ConfigMgr versions 2303, 2403 and 2403 should update to the critical patch KB29166583 to secure the systems. Access to management points should be restricted to trusted networks only to avoid unauthorised access. Validation of all SQL inputs and the use of parameterised queries would ensure the prevention of injection threats. It is recommended that the components be kept up-to-date to ensure that essential patches for specific flaws are installed.
In the News: GM ordered to stop tracking and selling driver data