Full Report
CERT Polska has received a report about 2 vulnerabilities ( CVE-2024-4995 and CVE-2024-4996) found in Wapro ERP Desktop software from Asseco Business Solutions.
Analysis Summary
As a vulnerability research specialist, here is the summarized, actionable report for the identified flaws in Wapro ERP Desktop.
---
# Vulnerability: Multiple Flaws in Wapro ERP Desktop (CVE-2024-4995 & CVE-2024-4996)
## CVE Details
- **CVE ID:** CVE-2024-4995
- **CVSS Score:** *Score not provided in source* (Severity assumed High due to data interception/modification potential)
- **CWE:** CWE-311 (Missing Encryption of Sensitive Data)
- **CVE ID:** CVE-2024-4996
- **CVSS Score:** *Score not provided in source*
- **CWE:** CWE-798 (Use of Hard-coded Credentials)
## Affected Systems
- **Products:** Wapro ERP Desktop
- **Versions:**
- CVE-2024-4995: All versions before 9.00.0
- CVE-2024-4996: All versions before 8.90.0
- **Configurations:** Standard installation of the affected software versions.
## Vulnerability Description
**CVE-2024-4995 (Missing Encryption):** The product is vulnerable to an MS SQL protocol downgrade request from the server side. Successful exploitation allows an attacker to force communication over an unencrypted channel, leading to the interception and modification of sensitive data transmitted through the application layer interfacing with MS SQL.
**CVE-2024-4996 (Hard-coded Credentials):** The installation process for Wapro ERP Desktop creates a database administrator account that uses a hard-coded password. This password is identical across all installations, allowing an attacker who discovers this hard-coded value to retrieve embedded sensitive data stored within the database.
## Exploitation
- **Status:** Information not explicitly available regarding active exploitation or PoC publication. (Assumed **PoC likely available** given coordinated disclosure process).
- **Complexity:** Unknown/Assumed Medium (Requires network control for downgrade or knowledge of the hard-coded password).
- **Attack Vector:** Network (for downgrade attack) and Local/Network (for credential compromise).
## Impact
| CVE | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| CVE-2024-4995 | High (Data interception) | High (Data modification) | Low |
| CVE-2024-4996 | High (Extraction of sensitive data) | Medium | Low |
## Remediation
### Patches
- **CVE-2024-4995 Fix:** Upgrade to version **9.00.0 or later**.
- **CVE-2024-4996 Fix:** Upgrade to version **8.90.0 or later**.
### Workarounds
*No specific workarounds were provided in the source text.*
**Recommended immediate actions based on vulnerability type:**
1. **For CVE-2024-4995:** If patching is delayed, ensure all communication channels involving the ERP database are secured via VPNs or network segmentation to prevent protocol downgrade/man-in-the-middle attacks.
2. **For CVE-2024-4996:** If patching is delayed, contact Asseco Business Solutions for instructions on manually resetting or disabling the hard-coded database administrator account immediately after installation, pending a permanent patch update.
## Detection
- **Indicators of Compromise:** Unusual network traffic patterns involving the MS SQL port, unauthorized access logs to the database administrator account, and evidence of data manipulation within the ERP database outside of normal application use.
- **Detection Methods and Tools:** Network monitoring tools capable of inspecting SQL protocol negotiation could potentially detect downgrade attempts; standard database audit logs should be monitored for anomalous login activity related to the default installation account.
## References
- Vendor Advisory: Asseco Business Solutions S.A. (Check official vendor channels for the specific advisory).
- Coordinated Disclosure Information: https://cert.pl/en/cvd/
- CERT Polska Advisory: Mentioned in article dated 18 December 2024.