CVE-2024-10376: Esafenet CDG SQLi Vulnerability

CVE-2024-10376 Overview

CVE-2024-10376 is a SQL injection vulnerability in ESAFENET CDG 5, a Chinese document security and data leak prevention product. The flaw resides in the actionPassOrNotAutoSign function within /com/esafenet/servlet/service/processsign/AutoSignService.java. Attackers manipulate the UniqueId parameter to inject arbitrary SQL statements into backend database queries. The vulnerability is exploitable remotely over the network with low-privilege authentication and requires no user interaction. The exploit details have been publicly disclosed, increasing the risk of opportunistic attacks. The vendor was notified prior to public disclosure but did not respond, and no official patch has been published.

Critical Impact

Authenticated remote attackers can inject SQL through the UniqueId parameter to read, modify, or delete data managed by ESAFENET CDG 5.

Affected Products

• ESAFENET CDG version 5
• Deployments exposing the AutoSignService servlet endpoint
• Installations without compensating WAF or input filtering controls

Discovery Timeline

• 2024-10-25 - CVE-2024-10376 published to the National Vulnerability Database
• 2024-11-05 - Last updated in the NVD database

Technical Details for CVE-2024-10376

Vulnerability Analysis

The vulnerability is a classic SQL Injection flaw classified as [CWE-89]. The actionPassOrNotAutoSign handler in AutoSignService.java accepts a user-controlled UniqueId HTTP parameter and concatenates it directly into a SQL statement issued against the application database. Because the input is not parameterized or sanitized, attackers can break out of the original query and append arbitrary SQL clauses.

ESAFENET CDG processes sensitive document signing workflows, so the underlying database typically stores user identities, document metadata, encryption keys, and audit records. A successful injection therefore exposes information that drives the document protection workflow itself.

Root Cause

The root cause is improper neutralization of special elements used in a SQL command. The UniqueId argument is passed into a dynamically constructed query string rather than bound through a prepared statement. Java code paths that build SQL via string concatenation, such as Statement.executeQuery("... where uniqueId='" + uniqueId + "'"), allow injected metacharacters and SQL keywords to alter query semantics.

Attack Vector

The attack vector is network-based and requires low privileges, meaning an authenticated session against the CDG application is sufficient. An attacker issues a crafted HTTP request to the AutoSignService endpoint with a malicious UniqueId value containing SQL syntax such as boolean conditions, UNION SELECT clauses, or stacked queries. The injected payload executes within the database context used by the CDG application, granting read or write access to its tables. Public disclosure of the exploit details lowers the barrier for opportunistic attackers scanning Chinese enterprise environments for ESAFENET deployments. See the VulDB advisory and the Flowus technical write-up for additional context.

Detection Methods for CVE-2024-10376

Indicators of Compromise

• HTTP requests targeting the AutoSignService endpoint containing SQL metacharacters such as ', --, ;, or UNION in the UniqueId parameter.
• Unusual outbound database query patterns originating from the CDG application, including INFORMATION_SCHEMA enumeration or large UNION SELECT statements.
• Application or database error responses correlating with UniqueId values that contain non-numeric or non-GUID characters.

Detection Strategies

• Deploy web application firewall signatures that flag SQL injection patterns specifically on the actionPassOrNotAutoSign path.
• Enable database query logging on the CDG backend and alert on queries referencing UniqueId with concatenated literals.
• Correlate authentication logs with anomalous AutoSignService request volume to identify abuse from compromised low-privilege accounts.

Monitoring Recommendations

• Capture full HTTP request bodies and query strings to the ESAFENET CDG application for retrospective hunting.
• Forward CDG application, web server, and database logs into a centralized analytics platform to enable cross-source correlation.
• Baseline normal UniqueId value formats and alert on deviations such as excessive length, encoded characters, or SQL tokens.

How to Mitigate CVE-2024-10376

Immediate Actions Required

• Restrict network access to ESAFENET CDG 5 management and service endpoints to trusted administrative networks only.
• Disable or block requests to the AutoSignServiceactionPassOrNotAutoSign action if it is not required by current business workflows.
• Rotate credentials for service accounts used by the CDG database and review database audit logs for suspicious activity since October 2024.

Patch Information

No vendor patch is available at the time of writing. The vendor was contacted before disclosure but did not respond. Organizations should monitor the VulDB entry for CVE-2024-10376 for updates and contact ESAFENET support directly to request a fix or guidance.

Workarounds

• Place a web application firewall in front of ESAFENET CDG and enable SQL injection rule sets targeting the UniqueId parameter.
• Enforce strict input validation at a reverse proxy by allowing only expected UniqueId formats, such as numeric or UUID values.
• Apply least-privilege permissions to the database account used by the CDG application so that injection cannot reach administrative tables or stored procedures.

# Example NGINX reverse proxy rule blocking suspicious UniqueId values
location /com/esafenet/servlet/service/processsign/AutoSignService {
    if ($arg_UniqueId ~* "[^A-Za-z0-9_-]") {
        return 403;
    }
    proxy_pass http://esafenet_backend;
}