CVE-2024-5772 Overview
CVE-2024-5772 is a SQL injection vulnerability in Netentsec NS-ASG Application Security Gateway version 6.3. The flaw resides in the /protocol/iscuser/deleteiscuser.php endpoint, where the messagecontent parameter is passed unsanitized into a database query. Remote attackers with low-level authentication can manipulate the parameter to inject arbitrary SQL statements. Public disclosure occurred through VulDB entry #267455, and proof-of-concept material is available on GitHub. The vendor was contacted prior to disclosure but did not respond. The vulnerability is classified under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Authenticated remote attackers can manipulate the messagecontent parameter in deleteiscuser.php to execute arbitrary SQL queries against the underlying database, affecting confidentiality, integrity, and availability of stored data.
Affected Products
- Netentsec NS-ASG Application Security Gateway 6.3
- CPE: cpe:2.3:a:netentsec:application_security_gateway:6.3:*:*:*:*:*:*:*
- Component: netentsec:application_security_gateway
Discovery Timeline
- 2024-06-09 - CVE-2024-5772 published to NVD with VulDB identifier #267455
- 2025-01-29 - Last updated in NVD database
Technical Details for CVE-2024-5772
Vulnerability Analysis
The vulnerability exists in the PHP script deleteiscuser.php, which handles deletion requests for ISC user records. The script accepts the messagecontent HTTP parameter and incorporates the value directly into a SQL query without parameterization or input sanitization. Attackers supplying crafted SQL syntax through this parameter can alter query logic, extract data from arbitrary tables, modify records, or trigger destructive statements. The endpoint is reachable over the network, and exploitation requires only low privileges on the appliance.
The weakness aligns with [CWE-89], a class of injection flaws caused by string concatenation between user input and SQL statements. Public proof-of-concept material details the request structure and payload mechanics required to trigger the condition. Because NS-ASG functions as a security gateway, compromise of its backend database may expose policy configurations, user credentials, and session state.
Root Cause
The root cause is the absence of prepared statements or input validation routines in the deleteiscuser.php handler. User-controlled data flows directly from the HTTP request into a dynamic SQL string. No allowlist filtering, type casting, or escaping is applied to the messagecontent argument before query execution.
Attack Vector
Exploitation occurs remotely over the network against the management interface hosting the vulnerable PHP endpoint. The attacker submits an HTTP request to /protocol/iscuser/deleteiscuser.php with a malicious payload supplied through the messagecontent parameter. Successful exploitation does not require user interaction. The vulnerability mechanism is described in the GitHub PoC Repository and the VulDB CTI Entry #267455.
Detection Methods for CVE-2024-5772
Indicators of Compromise
- HTTP requests to /protocol/iscuser/deleteiscuser.php containing SQL metacharacters such as single quotes, UNION, SELECT, --, or ; within the messagecontent parameter.
- Unexpected database errors or stack traces logged by the NS-ASG appliance after requests to the iscuser endpoint.
- Anomalous deletion activity or schema enumeration queries originating from the application's database account.
Detection Strategies
- Deploy web application firewall (WAF) signatures that inspect POST and GET parameters on deleteiscuser.php for SQL injection patterns.
- Enable verbose database query logging on the NS-ASG backend and correlate timestamps with HTTP access logs.
- Hunt historical proxy and gateway logs for any external access to /protocol/iscuser/ paths from untrusted source addresses.
Monitoring Recommendations
- Monitor authentication events on the NS-ASG management plane for low-privilege accounts performing administrative actions.
- Alert on outbound database traffic spikes or large result sets returned by the application service account.
- Track configuration changes and user record modifications on the appliance for unexpected entries.
How to Mitigate CVE-2024-5772
Immediate Actions Required
- Restrict network access to the NS-ASG management interface to trusted administrative subnets and VPN endpoints only.
- Disable or block external requests to /protocol/iscuser/deleteiscuser.php at upstream proxies or WAFs until a vendor patch is available.
- Audit existing NS-ASG user accounts and rotate credentials for any low-privilege accounts that could be leveraged for exploitation.
- Review database and application logs for prior exploitation attempts referencing the affected endpoint.
Patch Information
No vendor patch has been published. According to the disclosure record, Netentsec was contacted before public disclosure but did not respond. Operators should track vendor channels for an official fix and consult the VulDB #267455 entry for status updates.
Workarounds
- Place the NS-ASG appliance behind a reverse proxy or WAF with SQL injection rule sets enabled for the messagecontent parameter.
- Apply network segmentation so that only designated administrative hosts can reach the appliance's HTTP management service.
- Reduce privileges of the database account used by the NS-ASG web application to limit the impact of injection attempts.
- Consider migrating to an alternative gateway product if vendor support remains unresponsive.
# Example: block external access to the vulnerable endpoint at an upstream nginx reverse proxy
location ~* /protocol/iscuser/deleteiscuser\.php$ {
allow 10.0.0.0/24; # trusted admin subnet
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
