Supply Chain Weakness Leading to Domain Admins: The Vulnerability That Became a CVE
Supply chains often serve as the weakest link in advanced cyberattacks. During a security assessment for a client, we discovered how the Smadar SPS system, used for smart printing solutions, became a direct gateway to Domain Admins. This critical vulnerability was documented under CVE-2024-47921 and highlighted the importance of securing every step of the supply chain.
Step 1: Identifying Sensitive Systems
During our penetration testing, we focused on identifying sensitive systems connected to the organization’s network. As part of this process, we identified a system named Smadar Interface, which was used as part of the supply chain for smart printing solutions. Further examination revealed a configuration file that appeared to contain critical and encrypted information.
Step 2: Discovering High-Level Database Privileges
A detailed analysis of the configuration file revealed that it contained encrypted passwords. Further investigation showed that one of the passwords belonged to a user with sa (Super Admin) privileges on an MSSQL database connected to the organization’s ERP system. This discovery highlighted a significant weakness in the system’s security architecture.
Step 3: Reverse Engineering and Decrypting Passwords
After identifying the suspicious file, we reverse-engineered the Smadar Interface application to understand the encryption mechanism it used. Through our analysis, we identified a weak encryption algorithm that did not meet modern security standards. Using the gathered information, we developed a custom script to decrypt the passwords stored in the file, granting us access to elevated privileges.
Step 4: GAME OVER
With the decrypted database passwords, we connected to the MSSQL server with Super Admin privileges. From there, gaining full control of the network was a straightforward process. We were able to execute system commands, leading to a complete domain takeover. At this stage, the security game was over.
Step 5: Official Registration as a CVE
After analyzing the vulnerability and its implications, we submitted our findings to the National Cyber Directorate. As always, the directorate assisted us in officially registering the vulnerability under CVE-2024-47921, classified under CWE-327: Use of a Broken or Risky Cryptographic Algorithm. The report included all technical details to ensure other organizations using this system could be informed.
Conclusions: The Importance of Supply Chain Security and Penetration Testing
This case highlights the risk posed by a single weak link in the supply chain, which can lead to complete control over critical organizational systems. Supply chain security must be handled rigorously, as every product integrated into the organization’s network could become a potential backdoor.
Furthermore, it is essential to ensure that every new product entering the organizational network undergoes thorough penetration testing. These tests can identify vulnerabilities in advance and prevent attackers from exploiting them.