CVE-2020-15008 : Security Advisory and Response

A SQL Injection vulnerability exists in Connectwise Automate versions before 2020.7 or 2019.12, allowing for arbitrary update commands and potential data extraction.

Understanding CVE-2020-15008

What is CVE-2020-15008?

This CVE describes a SQL Injection vulnerability in the probe code of Connectwise Automate versions prior to 2020.7 or 2019.12, enabling attackers to manipulate table names and execute arbitrary SQL commands.

The Impact of CVE-2020-15008

The vulnerability permits unauthorized users to exploit the SQL Injection flaw to modify table names and execute malicious SQL commands, potentially leading to data extraction and unauthorized data manipulation.

Technical Details of CVE-2020-15008

Vulnerability Description

SQL Injection vulnerability in Connectwise Automate probe code before 2020.7 or 2019.12
Inadequate server-side validation allows for manipulation of table names
Dynamic SQL creation in the insert statement facilitates arbitrary update commands
Potential for full data extraction using SQL injection techniques

Affected Systems and Versions

All Connectwise Automate versions before 2020.7 or 2019.12

Exploitation Mechanism

Attackers can exploit the vulnerability by injecting SQL commands into user-supplied table names
Allows for unauthorized data extraction and manipulation

Mitigation and Prevention

Immediate Steps to Take

Apply the patch released in version 2020.7 or the hotfix for version 2019.12
Implement strict input validation to prevent SQL Injection attacks

Long-Term Security Practices

Regularly update software to the latest versions to address security vulnerabilities
Conduct security audits and penetration testing to identify and mitigate potential risks

Patching and Updates

Ensure timely installation of security patches and updates to protect against known vulnerabilities