The Fortra FileCatalyst Workflow is vulnerable to an SQL injection vulnerability that could allow remote unauthenticated attackers to create rogue admin users and manipulate data on the application database.
FileCatalyst Workflow is a web-based file exchange and sharing platform supporting large file sizes. It’s used by organizations worldwide to accelerate data transfers and collaborate in private cloud spaces.
The critical (CVSS v3.1: 9.8) vulnerability, tracked as CVE-2024-5276, was discovered on May 15, 2024, by Tenable researchers, but was made public only yesterday.
Fortra explains in a security bulletin that the flaw allows admin user creation and database manipulation, but stealing data isn’t viable through it.
“A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data,” reads Fortra’s bulletin.
“Likely impacts include the creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability.”
The flaw impacts FileCatalyst Workflow 5.1.6 Build 135 and older versions. Fixes were made available in FileCatalyst Workflow 5.1.6 build 139, which is the recommended upgrade target for users.
Unauthenticated exploitation also requires that anonymous access is enabled on the target instance. Otherwise, authentication is required to exploit CVE-2024-5276.
Public exploit available
Tenable discovered CVE-2024-5276 on May 15, 2024, and first disclosed the issue to Fortra on May 22, along with a proof-of-concept (PoC) exploit demonstrating the vulnerability.
Simultaneously to the publication of Fortra’s security bulletin, Tenable published its exploit, showcasing how an anonymous remote attacker can perform SQL injection via the ‘jobID’ parameter in various URL endpoints of the Workflow web app.
The problem is that the ‘findJob’ method uses a user-supplied ‘jobID’ without sanitizing the input to form the ‘WHERE’ clause in an SQL query, allowing an attacker to insert malicious code.
Tenable’s script logs into the FileCatalyst Workflow application anonymously and performs an SQL Injection via the ‘jobID’ parameter to insert a new admin user (‘operator’) with a known password (‘password123’).
Eventually, it retrieves the logon token and uses the newly created admin credentials to log in on the vulnerable endpoint.
There have been no reports about active exploitation of the issue, but the release of a working exploit could change that very soon.
In early 2023, the Clop ransomware gang exploited a Fortra GoAnywhere MFT zero-day vulnerability, tracked as CVE-2023-0669, in data theft attacks to blackmail hundreds of organizations using the product.