CVE-2024-45387 - SQL Injection Vulnerability in Apache Traffic Control Opens Door for Malicious Actions

In Apache Traffic Control versions up to and including 8..1, a recently discovered security vulnerability (CVE-2024-45387) allows users with certain privileged roles to execute arbitrary SQL code against the database. By sending specially-crafted PUT requests, a user with admin, federation, operations, portal, or steering roles can exploit this SQL injection vulnerability to compromise the integrity and security of the system. This vulnerability has been fixed in the latest version, Apache Traffic Control 8..2. Users running Traffic Ops versions up to 8..1 are recommended to upgrade to 8..2 as soon as possible.

Details of the vulnerability and exploit

The SQL injection vulnerability in Traffic Ops in Apache Traffic Control is found in the handling of the PUT request parameters. An attacker with one of the mentioned roles can forge a PUT request and inject SQL code into the parameters. The code will then be executed directly in the underlying database.

Example of a code snippet that shows vulnerable SQL query

UPDATE traffic_flow_data
SET name='<USER_PROVIDED_NAME>', upsteam=data='<USER_PROVIDED_UPSTREAM>'
WHERE id=<USER_PROVIDED_ID>;

In this example, the variables <USER_PROVIDED_NAME>, <USER_PROVIDED_UPSTREAM>, and <USER_PROVIDED_ID> are not properly sanitized, leaving the code open to SQL injection if an attacker sends a maliciously-crafted PUT request.

How to reproduce the vulnerability

1. Authenticate with the Traffic Ops API as a user with one of the mentioned roles (admin, federation, operations, portal, or steering).
2. Send a specially-crafted PUT request to the Traffic Ops endpoint responsible for managing traffic flow data. For this step, you can use a tool like cURL or Postman.

Example of a malicious PUT request

PUT /api/traffic_flow_data/1 HTTP/1.1
Host: traffic-ops.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer <ACCESS_TOKEN>

name='test'--',upstream='test',id=1

In this example, we send a PUT request that includes a commented-out SQL string (--) which causes the database management system to ignore the rest of the query, potentially causing unintended actions.

Original References

1. Official Apache Traffic Control Security Advisory: https://trafficcontrol.apache.org/security/CVE-2024-45387
2. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45387
3. NVD - National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-45387

Mitigations and Recommendations

The best way to mitigate this vulnerability is to update your Apache Traffic Control installation to version 8..2 or later to ensure that malicious actors cannot exploit the SQL injection vulnerability in Traffic Ops. Additionally, maintain a strict role-based access control system to limit the number of users with the privileged roles that can exploit this vulnerability. Monitor network traffic and user activity to detect and prevent any malicious activity.

Conclusion

This SQL injection vulnerability in Apache Traffic Control highlights the importance of staying up-to-date with software patches and updates, as well as limiting privileged access to trusted users only. By upgrading to Apache Traffic Control 8..2 and implementing proper access control measures, you can protect your system from this vulnerability and prevent potential damage.

Timeline

Published on: 12/23/2024 16:15:06 UTC
Last modified on: 12/23/2024 18:15:07 UTC