Microsoft Configuration Manager Vulnerability Allows Remote Code Execution – PoC Released
A critical vulnerability, CVE-2024-43468, has been identified in Microsoft Configuration Manager (ConfigMgr), posing a severe security risk to organizations relying on this widely used systems management software. Rated with a CVSS score of 9.8, the vulnerability allows unauthenticated attackers to execute remote code on affected systems, potentially leading to complete system compromise. CVE-2024-43468 stems from […] The post Microsoft Configuration Manager Vulnerability Allows Remote Code Execution – PoC Released appeared first on Cyber Security News.
 - PoC Released.webp?#)
A critical vulnerability, CVE-2024-43468, has been identified in Microsoft Configuration Manager (ConfigMgr), posing a severe security risk to organizations relying on this widely used systems management software.
Rated with a CVSS score of 9.8, the vulnerability allows unauthenticated attackers to execute remote code on affected systems, potentially leading to complete system compromise.
CVE-2024-43468 stems from two unauthenticated SQL injection flaws in the MP_Location service of ConfigMgr. These flaws occur due to improper input sanitization when processing client messages.
Attackers can exploit these weaknesses to execute arbitrary SQL queries on the ConfigMgr database with sysadmin privileges, enabling remote code execution (RCE) through the activation of the xp_cmdshell procedure.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The vulnerability affects ConfigMgr versions 2403, 2309, and 2303, particularly when the critical patch KB29166583 is not applied. Exploitation requires network access to a Management Point but does not necessitate authentication or user interaction, making it highly exploitable.
Microsoft Configuration Manager RCE Released
SynACKTIV researchers have released a proof-of-concept (PoC) script demonstrating how attackers can leverage the vulnerability. The PoC highlights two attack vectors:
- MachineID Injection: An attacker can inject malicious SQL commands into the
SourceIDfield of an XML message targeting the vulnerablegetMachineIDfunction. - ContentID Injection: This vector exploits the
getContentIDfunction by providing a valid MachineID obtained from the system database.
Both methods allow attackers to create new sysadmin accounts or execute commands on the underlying server.
The implications of CVE-2024-43468 are severe:
- Unauthorized Access: Attackers can gain full access to the ConfigMgr database and its contents.
- System Compromise: By escalating privileges, attackers can execute arbitrary commands on the server, potentially deploying ransomware or other malicious payloads across managed devices.
- Data Breaches: Sensitive data stored within the ConfigMgr database is at risk.
Mitigation and Recommendations
Microsoft has addressed this vulnerability with patch KB29166583 in the patch Tuesday update. Organizations using ConfigMgr versions 2303, 2309, or 2403 should immediately apply this update to secure their systems. Additional mitigation strategies include:
- Network Segmentation: Restrict access to Management Points to trusted networks only.
- Database Security Best Practices: Validate all SQL inputs and use parameterized queries to prevent injection attacks.
- Regular Updates: Ensure that all software components are updated promptly when patches are released.
Detecting exploitation attempts for CVE-2024-43468 is challenging as SQL injection payloads do not leave clear traces in log files. However, anomalies in MP_Location.log, such as errors following UpdateSFRequestXML messages, may indicate exploitation attempts.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
The post Microsoft Configuration Manager Vulnerability Allows Remote Code Execution – PoC Released appeared first on Cyber Security News.
