CVE-2023-30223

Vulnerability

A broken authentication vulnerability exists in 4D SAS 4D Server software versions v17, v18, v19 R7, and earlier. The vulnerability allows an attacker to send crafted TCP packets containing requests to perform arbitrary actions on the server, bypassing authentication checks.

Exploitation

Exploitation requires network access to the 4D Server and possession of the server's private key. The default server certificates and keys are identical across all installations (including trial versions) [1], making them a known factor. An attacker can use a man-in-the-middle approach with tools like Burp Suite and modified scripts (e.g., mitm_relay3.py) to inject crafted packets into the TCP stream between the client and server [1]. The attacker must first obtain the server private key (e.g., from a compromised machine or default key disclosure) to perform the injection [2].

Impact

Successful exploitation allows an attacker to execute arbitrary actions on the server, potentially leading to full compromise of the 4D application and its data. The attacker gains the ability to perform any operation that the server supports, without proper authentication.

Mitigation

To mitigate this vulnerability, replace the default server private key with a unique one. 4D provides a bugfix that restricts the requests accepted before authentication, available starting from versions: 4D v19.7 LTS (build 288986), 4D v20.2 LTS (build 100956), 4D v20 R2 HF1 (build 100440), and all later versions [2]. Additionally, 4D v20 R4 automatically regenerates the server private key at each start. Applications not using the built-in password system are not directly impacted [2].