Full Report
CISA ordered federal agencies on Thursday to secure their systems against a critical Microsoft Configuration Manager vulnerability patched in October 2024 and now exploited in attacks. [...]
Analysis Summary
# Vulnerability: Microsoft Configuration Manager Remote Code Execution (RCE) via SQL Injection
## CVE Details
- **CVE ID:** CVE-2024-43468
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-89 (Improper Neutralization of Special Elements used in an SQL Command)
## Affected Systems
- **Products:** Microsoft Configuration Manager (formerly SCCM/System Center Configuration Manager).
- **Versions:**
- Version 2403
- Earlier supported versions (prior to October 2024 security updates).
- **Configurations:** Systems where the Configuration Manager site server or underlying site database is accessible to process incoming requests.
## Vulnerability Description
CVE-2024-43468 is an unauthenticated SQL injection vulnerability. The flaw exists because Microsoft Configuration Manager processes specially crafted network requests in an unsafe manner. An attacker can leverage this to execute arbitrary SQL commands. Because the service often operates with high privileges, this leads to Remote Code Execution (RCE) on the site server and/or the underlying Microsoft SQL Server database.
## Exploitation
- **Status:** Exploited in the wild (Confirmed by CISA KEV catalog).
- **Complexity:** Low (Initially rated "High" by Microsoft, but lowered following the release of a public PoC).
- **Attack Vector:** Network (Unauthenticated).
- **PoC Availability:** Available (Published by Synacktiv in November 2024).
## Impact
- **Confidentiality:** Total (Full access to the site database and managed infrastructure data).
- **Integrity:** Total (Ability to modify system configurations and execute commands).
- **Availability:** Total (Potential for full system takeover or service disruption).
## Remediation
### Patches
- Microsoft released security updates for CVE-2024-43468 as part of the **October 2024 Patch Tuesday** cycle.
- Administrators should update to the latest version of Configuration Manager (e.g., version 2403 with the applicable hotfix rollup) via the "Updates and Servicing" node in the Configuration Manager console.
### Workarounds
- There are no specific official workarounds that replace the need for patching.
- General best practices include restricting network access to the SCCM site server and database to authorized administrative segments only.
## Detection
- **Indicators of Compromise:**
- Unusual SQL query patterns in the SCCM database logs.
- Suspicious command execution originating from `smssqlserver` or SCCM-related service accounts.
- **Detection methods and tools:**
- Monitor SCCM logs (specifically those handling client-to-server communication) for malformed incoming requests.
- Use Web Application Firewalls (WAF) or Intrusion Prevention Systems (IPS) to detect SQL injection patterns targeting SCCM endpoints.
## References
- **Vendor Advisory:** hxxps[://]msrc[.]microsoft[.]com/update-guide/en-US/advisory/CVE-2024-43468
- **Synacktiv Research/PoC:** hxxps[://]github[.]com/synacktiv/CVE-2024-43468
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Original Article:** hxxps[://]www[.]bleepingcomputer[.]com/news/security/cisa-flags-microsoft-configmgr-rce-flaw-as-exploited-in-attacks/