Zero-day vulnerability in Accellion FTA

SQL injection

The vulnerability was used to compromise several companies worldwide, such as Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC), law firm Allens, the University of Colorado, the Washington State Auditor Office, and the QIMR Berghofer Medical Research Institute and Singtel.

The attacks were detected in the mid_December 2020 and continued in January 2021.

Vulnerability details

Advisory: SB2021021204 - SQL injection in Accellion FTA

Vulnerable component: Accellion FTA

CVE-ID:

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description:

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data passed to the web interface. A remote non-authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Note, the vulnerability is being actively exploited in the wild in mid-December 2020 and January 2021.

External links:

https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/