Full Report
CERT Polska has received a report about 2 vulnerabilities (CVE-2024-8773 and CVE-2024-8774) found in SIMPLE.ERP software.
Analysis Summary
## Vulnerability Summary: SIMPLE.ERP Flaws (CVE-2024-8773 & CVE-2024-8774)
---
# Vulnerability: Algorithm Downgrade and Recoverable Superuser Password in SIMPLE.ERP
## CVE Details
- CVE ID: CVE-2024-8773
- CVSS Score: Not specified (Severity inferred from description: High impact potential)
- CWE: CWE-757 (Selection of Less-Secure Algorithm During Negotiation)
- CVE ID: CVE-2024-8774
- CVSS Score: Not specified (Severity inferred from description: High impact potential/privilege escalation)
- CWE: CWE-257 (Storing Passwords in a Recoverable Format)
## Affected Systems
- Products: SIMPLE.ERP
- Versions: From 6.20 up to and including 6.30 (Specific versions 6.20 and 6.25 remain unpatched).
- Configurations: Any standard installation of the affected versions.
## Vulnerability Description
**CVE-2024-8773 (Algorithm Downgrade):** Allows an attacker connected to the server to force a downgrade of the MS SQL protocol negotiation, potentially leading to unencrypted communication. This exposes transmitted data to interception and modification.
**CVE-2024-8774 (Recoverable Password):** The SIMPLE.ERP client stores the superuser password in a reversible/recoverable format. This allows any currently authenticated SIMPLE.ERP user to escalate their privileges to that of a database administrator.
## Exploitation
- Status: Not specified if exploited in the wild, but PoC availability is implied by the report structure and disclosure process.
- Complexity: Medium/High (CVE-2024-8774 requires authenticated access which suggests complexity is not trivial, while CVE-2024-8773 relates to protocol manipulation).
- Attack Vector: Network (for potential interception) and Internal User Access (for privilege escalation).
## Impact
- Confidentiality: High (CVE-2024-8773 risks interception; CVE-2024-8774 reveals high-level credentials).
- Integrity: High (CVE-2024-8773 allows modification of intercepted data; CVE-2024-8774 grants DB admin rights for data modification).
- Availability: Medium (Potential disruption from unauthorized database access).
## Remediation
### Patches
- Version **6.30** has received a patch that fixes **both** vulnerabilities and enables administrators to enforce encrypted communication.
- Versions **6.20** and **6.25** are explicitly mentioned as **unpatched** at the time of the report summary.
### Workarounds
- For versions 6.20 and 6.25, administrators should prioritize immediate application of any configuration security enhancements related to MS SQL encryption, though a specific workaround is not detailed.
- For version 6.30, ensure the update to the patched build is deployed to leverage the fix that makes enabling encrypted communication possible.
## Detection
- Detection methods and communication monitoring focusing on MS SQL protocol negotiation attempts that indicate fallback to non-encrypted sessions should be reviewed.
- Monitoring for unauthorized privilege escalation attempts or database administrative actions originating from standard user accounts is critical for CVE-2024-8774.
## References
- Vendor Advisory: Simple SA (Implied, as CERT Polska coordinated disclosure)
- CERT Polska Report Date: 24 March 2025
- Coordinated Vulnerability Disclosure Policy: hXXps://cert.pl/en/cvd/