CVE-2024-4547 is a SQL injection vulnerability affecting Delta Electronics DIAEnergie v1.10.1.8610 and earlier. The issue lies in the CEBC.exe component that processes the 'RecalculateScript' message, which contains four fields separated by the '~' character. An unauthenticated remote attacker could exploit this vulnerability by manipulating the fourth field to inject malicious SQL statements, which could lead to unauthorized access to sensitive data or arbitrary code execution.
In our AIWAF products, we continuously monitor for vulnerabilities that occur using components such as this one, and we will respond promptly to any related vulnerabilities that are discovered in the future.
1. Overview
CVE-2024-4547 is a SQL injection vulnerability found in Delta Electronics' DIAEnergie software version 1.10.1.8610 and earlier. The vulnerability occurs when the CEBC.exe process handles a 'RecalculateScript' message, which could allow an attacker to inject a malicious SQL query to gain unauthorized access to the database.
2. Attack Type
CEBC.exe listens on TCP port 928 and accepts and processes remote messages sent to that port.
A SQL Injection vulnerability exists when CEBC.exe processes the 'RecalculateScript' message, which is divided into four fields using the '~' character as a delimiter. An unauthenticated remote attacker can perform SQL Injection via the fourth field.
[...]
if (@string.StartsWith("RecalculateScript"))
{
string[] array7 = @string.Split(new char[] { '~' });
if (array7.Length != 4)
{
string text21 = "Command Error!" + DateTime.Now.ToString();
byte[] bytes25 = Encoding.ASCII.GetBytes(text21);
this.socket_1.Send(bytes25, bytes25.Length, SocketFlags.None);
goto IL_F0C;
}
try
{
RecalculateScriptClass recalculateScriptClass = new RecalculateScriptClass();
recalculateScriptClass.timeStart = Convert.ToDateTime(array7[1]);
recalculateScriptClass.timeEnd = Convert.ToDateTime(array7[2]);
recalculateScriptClass.tidList = array7[3].Split(new char[] { ',' });
diaenergieSQLHandleClass.ExcuteSQL("UPDATE DIAE_tag SET recalculate=2 WHERE tid IN (" + array7[3] + ")");
new Thread(new ThreadStart(recalculateScriptClass.RecalculateScript))
{
IsBackground = true
}.Start();
[...]
3. Response
CVE-2024-4547 has been addressed in the DIAEnergie v1.10.01.004 patch.
The vulnerability appears to exploit the handling of messages from CEBC.exe's 'RecalculateScript', and our AIWAF products will be further analyzed and respond as a pattern.
4. Conclusion
CVE-2024-4547 is a SQL injection vulnerability affecting Delta Electronics DIAEnergie v1.10.1.8610 and earlier. The issue is in the CEBC.exe component that handles a 'RecalculateScript' message that contains four fields separated by a '~' character. An unauthenticated, remote attacker can exploit this vulnerability by injecting a malicious SQL statement by manipulating the fourth field to gain unauthorized access to sensitive data or execute arbitrary code.
We continue to monitor our AIWAF products for vulnerabilities that utilize components like this one, and will continue to respond quickly to any related vulnerabilities that are discovered.
