CVE-2024-6007 Overview
CVE-2024-6007 is a SQL injection vulnerability affecting Netentsec NS-ASG Application Security Gateway version 6.3. The flaw resides in the /protocol/iscgwtunnel/deleteiscgwrouteconf.php script, where the messagecontent parameter is passed to a database query without proper sanitization. Authenticated remote attackers can manipulate this parameter to inject arbitrary SQL statements. The exploit has been publicly disclosed, and the vendor did not respond to disclosure attempts. The weakness is categorized under CWE-89: Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Remote attackers with low-level privileges can inject SQL queries through the messagecontent parameter, potentially exposing or modifying backend database contents on an unpatched application security gateway.
Affected Products
- Netentsec NS-ASG Application Security Gateway 6.3
- File path: /protocol/iscgwtunnel/deleteiscgwrouteconf.php
- Vulnerable parameter: messagecontent
Discovery Timeline
- 2024-06-15 - CVE-2024-6007 published to the National Vulnerability Database
- 2025-02-05 - Last updated in NVD database
Technical Details for CVE-2024-6007
Vulnerability Analysis
The vulnerability stems from unsanitized user input flowing directly into a SQL query within deleteiscgwrouteconf.php. The messagecontent HTTP parameter is concatenated into a backend query string without parameterization or escaping. Attackers send a crafted HTTP request containing SQL metacharacters in messagecontent, altering the query's logic.
Successful exploitation allows reading, modifying, or deleting rows in tables accessible to the database user backing the gateway. Because NS-ASG functions as a security gateway, the database typically holds configuration data, routing entries, and session information. Exposure of this data can undermine the security posture the appliance is intended to provide.
The vulnerability requires network access to the gateway's management interface and low-privilege authentication. The public disclosure on VulDB submission #268695 increases the likelihood of opportunistic exploitation against exposed instances.
Root Cause
The root cause is improper input neutralization in deleteiscgwrouteconf.php. The application builds SQL statements through string concatenation with the messagecontent request parameter rather than using prepared statements or parameter binding. No input validation or output encoding is applied before query execution.
Attack Vector
An authenticated remote attacker submits an HTTP request to /protocol/iscgwtunnel/deleteiscgwrouteconf.php with a malicious messagecontent value. The injected payload modifies the WHERE clause or appends additional SQL statements. Standard SQL injection techniques such as UNION-based extraction, boolean-based blind injection, or time-based blind injection are applicable.
Technical details and proof-of-concept artifacts are referenced in the GitHub Security Findings advisory and VulDB entry #268695.
Detection Methods for CVE-2024-6007
Indicators of Compromise
- HTTP requests to /protocol/iscgwtunnel/deleteiscgwrouteconf.php containing SQL metacharacters such as ', --, UNION, SLEEP(, or INFORMATION_SCHEMA in the messagecontent parameter
- Unusual outbound queries or large response payloads from the NS-ASG management interface
- Unexpected modifications to gateway routing or tunnel configuration tables
- Authentication events from low-privilege accounts followed by access to administrative PHP endpoints
Detection Strategies
- Inspect web access logs on the NS-ASG appliance for POST or GET requests targeting deleteiscgwrouteconf.php with non-standard messagecontent values
- Deploy a web application firewall ruleset that flags SQL injection patterns directed at the /protocol/iscgwtunnel/ path
- Correlate authentication logs with subsequent administrative endpoint access to identify abuse of low-privilege accounts
Monitoring Recommendations
- Enable verbose HTTP request logging on the management interface and forward logs to a central SIEM for retention and analysis
- Alert on database errors emitted by the gateway, which often indicate failed injection attempts
- Monitor outbound network connections from the appliance for indicators of data exfiltration following suspicious requests
How to Mitigate CVE-2024-6007
Immediate Actions Required
- Restrict network access to the NS-ASG management interface to trusted administrative networks only
- Review and rotate credentials for any accounts that authenticate to the gateway, particularly low-privilege accounts
- Audit recent web access logs for requests to deleteiscgwrouteconf.php containing SQL syntax
- Place a web application firewall in front of the appliance to filter SQL injection patterns
Patch Information
No vendor patch is available. According to the NVD entry, Netentsec was contacted before public disclosure but did not respond. Organizations operating NS-ASG 6.3 should monitor the vendor's website for security updates and consider replacing the appliance if no fix is released.
Workarounds
- Block external access to /protocol/iscgwtunnel/deleteiscgwrouteconf.php at an upstream proxy or firewall until a patch is available
- Configure WAF rules to drop requests where the messagecontent parameter contains SQL keywords or metacharacters
- Enforce strict role-based access controls so only required administrators can reach the management plane
- Isolate the appliance on a dedicated management VLAN with no direct internet exposure
# Example WAF rule (ModSecurity) blocking SQL injection on the vulnerable endpoint
SecRule REQUEST_URI "@contains /protocol/iscgwtunnel/deleteiscgwrouteconf.php" \
"id:1006007,phase:2,deny,status:403,log,\
chain,msg:'CVE-2024-6007 SQLi attempt on NS-ASG'"
SecRule ARGS:messagecontent "@rx (?i)(union(\s|\+)+select|sleep\s*\(|--|';|/\*|information_schema)" \
"t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
