CVE-2023-31719: FUXA <= 1.1.12 SQL Injection Vulnerability Via /api/signin Endpoint

FUXA is a web-based open-source tool for designing and implementing industrial automation systems. Recently, a critical SQL injection vulnerability has been discovered in the FUXA <= 1.1.12 application via the /api/signin endpoint. This vulnerability has been assigned the CVE identifier CVE-2023-31719 and poses a high-risk threat for systems currently running FUXA versions 1.1.12 and below. This long-read post aims to provide detailed information about the vulnerability to encourage timely patching and updates to secure FUXA installations.

Vulnerability Details

As per the recent vulnerability disclosure, the FUXA application is vulnerable to an SQL Injection attack on the /api/signin endpoint, which allows attackers to execute arbitrary SQL queries to potentially compromise sensitive data. This exploitation may result in unauthorized access to or manipulation of sensitive information, such as user credentials and critical system information. This security vulnerability can significantly impact the confidentiality, integrity, and availability of FUXA systems and their data.

Code Snippet

The following code snippet demonstrates the potential SQL injection vulnerability in the FUXA application's vulnerable /api/signin endpoint.

function signIn(req: Request, res: Response) {
   const { userName, password } = req.body;
   const query = SELECT * FROM users WHERE username=&#039;${userName}&#039; AND password=&#039;${password}&#039;;
   ...
}

This code snippet reveals that the user-supplied userName and password input fields are passed directly into the SQL query without proper validation or sanitization. Consequently, an attacker can craft malicious input with SQL payloads capable of causing SQL injection vulnerabilities.

For example, an attacker could pass the following userName to exploit the vulnerability

user' OR '1'='1

If the application does not validate and sanitize the user-supplied input, the resulting SQL query would look as follows:

SELECT * FROM users WHERE username='user' OR '1'='1' AND password='';

This query will then return all the rows from the 'users' table even if the attacker does not have the correct password.

Exploit Details

To exploit this vulnerability present in the FUXA system, an attacker can use common SQL Injection exploitation techniques such as Union-based, Time-based, and Error-based attacks. Additionally, tools like sqlmap can help automate some of these processes to exploit this vulnerability more efficiently.

Ideally, once the sensitive data is compromised, attackers can then perform further post-exploitation activities like privilege escalation and lateral movements to gain full control over the affected system.

Original References

The disclosure for this vulnerability (CVE-2023-31719) can be found in the following official references:

NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2023-31719

MITRE

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31719

FUXA Github Repository

https://github.com/frangoteam/FUXA

To mitigate this vulnerability and secure the affected FUXA installations, users should

1. Update FUXA to the latest available version (if not already done), which should include patches that fix this vulnerability.

2. Incorporate proper input validation and sanitization techniques in the FUXA codebase for enhanced security against potential SQL injection attacks.

3. Regularly update and patch not only the FUXA software but also all dependencies and components of the system to minimize security risks.

4. Implement a strong and robust system of access controls, logging, and monitoring to detect and mitigate cyber threats effectively.

In conclusion, the SQL injection vulnerability (CVE-2023-31719) in the FUXA <= 1.1.12 web application can have severe security implications for affected installations. It is imperative to update, patch, and secure the FUXA systems to minimize the risk of exploitation and maintain the confidentiality, integrity, and availability of your automation systems and data.

Timeline

Published on: 09/22/2023 00:15:00 UTC
Last modified on: 09/25/2023 16:44:00 UTC