CVE-2024-5773: Netentsec ASG SQL Injection Vulnerability

CVE-2024-5773 Overview

CVE-2024-5773 is a SQL injection vulnerability affecting Netentsec NS-ASG Application Security Gateway version 6.3. The flaw exists in the /protocol/firewall/deletemacbind.php script, where the messagecontent parameter is passed directly into a database query without sanitization. Authenticated remote attackers can manipulate this parameter to inject arbitrary SQL statements. The vulnerability is tracked as VDB-267456 and is classified under [CWE-89]. According to the disclosure, the vendor was contacted but did not respond, and a public exploit description is available. The issue affects a security gateway product, making exploitation particularly relevant for perimeter defense environments.

Critical Impact

Authenticated remote attackers can inject SQL through the messagecontent parameter in deletemacbind.php, exposing database contents and potentially enabling further compromise of the security gateway.

Affected Products

• Netentsec NS-ASG Application Security Gateway 6.3
• Vulnerable script: /protocol/firewall/deletemacbind.php
• Vulnerable parameter: messagecontent

Discovery Timeline

• 2024-06-09 - CVE-2024-5773 published to the National Vulnerability Database (NVD)
• 2025-01-29 - Last updated in NVD database

Technical Details for CVE-2024-5773

Vulnerability Analysis

The vulnerability is a classic SQL injection issue [CWE-89] in the NS-ASG web management interface. The script /protocol/firewall/deletemacbind.php accepts a messagecontent argument and incorporates it into a SQL statement without parameterization or input validation. An attacker authenticated to the gateway can craft a value for messagecontent that breaks the intended query structure and appends attacker-controlled SQL clauses. The vulnerability is reachable remotely over the network, and exploitation requires low-privilege credentials. Successful exploitation allows reading, modifying, or deleting records in the gateway's backing database, including firewall rule data and MAC binding entries. Because the affected component is a security gateway, manipulation of firewall configuration data could weaken perimeter defenses. The EPSS probability is 0.073% (22nd percentile), reflecting low observed exploitation activity at this time.

Root Cause

The root cause is improper neutralization of special elements used in a SQL command. The deletemacbind.php handler concatenates the messagecontent user input into a database query string. No prepared statements, bound parameters, or escaping routines are applied before the query reaches the database engine.

Attack Vector

The attack vector is network-based and targets the HTTP-accessible administrative interface of the NS-ASG appliance. An attacker with valid low-privilege credentials sends a crafted HTTP request to deletemacbind.php containing malicious SQL payloads in the messagecontent parameter. No user interaction is required.

No verified proof-of-concept code is published in the referenced sources beyond the parameter and endpoint identification. Refer to the GitHub CVE Issue Discussion and VulDB #267456 for technical context.

Detection Methods for CVE-2024-5773

Indicators of Compromise

• HTTP POST or GET requests to /protocol/firewall/deletemacbind.php containing SQL metacharacters such as single quotes, UNION, SELECT, --, or ; in the messagecontent parameter.
• Unusual database query errors logged by the NS-ASG appliance referencing the MAC binding tables.
• Unexpected modifications, deletions, or additions to MAC binding or firewall rule records.
• Authenticated administrative sessions originating from atypical source IP addresses or geolocations.

Detection Strategies

• Inspect web server and application logs on the NS-ASG appliance for requests to deletemacbind.php containing SQL syntax in the messagecontent field.
• Deploy web application firewall (WAF) signatures that match SQL injection patterns targeting the /protocol/firewall/ URI path.
• Correlate administrative authentication events with subsequent requests to firewall management endpoints to identify anomalous workflow patterns.

Monitoring Recommendations

• Enable verbose HTTP request logging on the management interface and forward logs to a centralized SIEM for retention and search.
• Alert on any database error responses returned from the gateway to remote clients, which often indicate SQL injection probing.
• Monitor for changes to firewall and MAC binding configuration outside of approved change windows.

How to Mitigate CVE-2024-5773

Immediate Actions Required

• Restrict network access to the NS-ASG administrative interface so it is reachable only from trusted management networks or a jump host.
• Rotate credentials for all accounts with access to the gateway management UI and enforce strong, unique passwords.
• Audit recent activity on deletemacbind.php and review firewall rule and MAC binding tables for unauthorized changes.

Patch Information

No vendor patch is referenced in the available advisory data. The disclosure notes that Netentsec was contacted but did not respond. Operators should track the vendor for any future firmware update addressing version 6.3 and consult VulDB CTI ID #267456 for status updates.

Workarounds

• Place the NS-ASG management interface behind a VPN or zero-trust access broker to eliminate direct internet exposure.
• Deploy a reverse proxy or WAF in front of the appliance with rules that block SQL metacharacters in requests to /protocol/firewall/deletemacbind.php.
• Limit administrative accounts to the minimum required and disable any unused low-privilege accounts that could be leveraged for authenticated exploitation.
• Increase logging retention and review database query logs frequently until a vendor fix becomes available.