CVE-2024-12144: Finder ERP/CRM SQL Injection Flaw

CVE-2024-12144 Overview

CVE-2024-12144 is a critical SQL Injection vulnerability affecting Finder Fire Safety's Finder ERP/CRM (Old System). This vulnerability stems from improper neutralization of special elements used in SQL commands, allowing attackers to inject malicious SQL queries into the application. The flaw enables unauthenticated remote attackers to manipulate database queries, potentially leading to unauthorized data access, data modification, or complete database compromise.

Critical Impact

This SQL Injection vulnerability allows unauthenticated attackers to execute arbitrary SQL commands against the backend database, potentially resulting in complete data breach, data manipulation, or system takeover.

Affected Products

• Finder Fire Safety Finder ERP/CRM (Old System) versions before 18.12.2024

Discovery Timeline

• 2025-03-06 - CVE-2024-12144 published to NVD
• 2025-03-06 - Last updated in NVD database

Technical Details for CVE-2024-12144

Vulnerability Analysis

This SQL Injection vulnerability (CWE-89) exists in the Finder Fire Safety ERP/CRM legacy system. The application fails to properly sanitize user-supplied input before incorporating it into SQL queries, creating an injection point that attackers can exploit. Because the vulnerability is accessible over the network without requiring authentication or user interaction, threat actors can directly target exposed instances of this ERP/CRM system.

The impact of successful exploitation is severe, as attackers could potentially read sensitive business data, modify or delete database records, or escalate their access to the underlying operating system depending on database configuration and privileges.

Root Cause

The root cause of this vulnerability is the improper neutralization of special elements (such as single quotes, semicolons, and SQL keywords) in user-supplied input before it is incorporated into SQL queries. The application constructs SQL statements dynamically using unsanitized input, allowing attackers to break out of the intended query structure and inject arbitrary SQL commands.

Attack Vector

The vulnerability is exploitable remotely over the network. An attacker can craft malicious HTTP requests containing SQL injection payloads targeting vulnerable input fields or parameters within the Finder ERP/CRM application. Since no authentication or user interaction is required, the attack surface is significant for any publicly exposed instances.

SQL Injection attacks against this vulnerability would typically involve techniques such as:

• Union-based injection: Appending UNION SELECT statements to extract data from other database tables
• Boolean-based blind injection: Using conditional statements to infer database contents through application responses
• Time-based blind injection: Using database sleep functions to confirm injection success when no direct output is visible
• Stacked queries: Executing multiple SQL statements to modify data or execute administrative commands

Refer to the USOM Security Notification TR-25-0060 for additional technical details.

Detection Methods for CVE-2024-12144

Indicators of Compromise

• Unusual or malformed SQL syntax appearing in web application logs
• Database error messages being returned in HTTP responses
• Unexpected database queries containing UNION, SELECT, INSERT, UPDATE, DELETE, or DROP statements
• Authentication bypass attempts or unauthorized data access patterns
• Anomalous database connection volumes or query execution times

Detection Strategies

• Deploy Web Application Firewall (WAF) rules to detect and block common SQL injection patterns
• Implement database activity monitoring to identify anomalous query patterns
• Enable detailed logging on the Finder ERP/CRM application and database servers
• Configure intrusion detection systems (IDS) with SQL injection signature rules
• Monitor for HTTP requests containing SQL metacharacters in URL parameters and POST data

Monitoring Recommendations

• Review web server access logs for requests containing SQL injection attempts
• Monitor database audit logs for unusual administrative commands or bulk data exports
• Set up alerts for database errors that may indicate injection attempts
• Track failed authentication attempts that could signal exploitation attempts
• Monitor network traffic for data exfiltration patterns from the database server

How to Mitigate CVE-2024-12144

Immediate Actions Required

• Update Finder Fire Safety Finder ERP/CRM (Old System) to version 18.12.2024 or later
• If immediate patching is not possible, restrict network access to the application
• Implement a Web Application Firewall (WAF) with SQL injection protection rules
• Review database user privileges and apply principle of least privilege
• Audit database logs for any signs of prior exploitation

Patch Information

Finder Fire Safety has addressed this vulnerability in version 18.12.2024 of the Finder ERP/CRM system. Organizations should upgrade to this version or later to remediate the SQL Injection vulnerability. Review the USOM Security Notification TR-25-0060 for official advisory information.

Workarounds

• Deploy a Web Application Firewall (WAF) configured to block SQL injection patterns
• Restrict network access to the Finder ERP/CRM application using firewall rules to allow only trusted IP addresses
• Implement input validation at the network perimeter using reverse proxy filtering
• Disable or restrict database user privileges to minimize potential impact
• Consider temporarily taking the legacy system offline until patching can be completed

# Example: Restrict access to Finder ERP/CRM at the firewall level
# Allow only trusted internal networks
iptables -A INPUT -p tcp --dport 80 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP