Vulnerabilities in Comarch ERP XL software

CVE ID	CVE-2023-4537
Publication date	15 February 2024
Vendor	Comarch SA
Product	Comarch ERP XL
Vulnerable versions	From 2020.2.2 through 2023.2
Vulnerability type (CWE)	Missing Encryption of Sensitive Data (CWE-311)
Report source	Report to CERT Polska
CVE ID	CVE-2023-4538
Publication date	15 February 2024
Vendor	Comarch SA
Product	Comarch ERP XL
Vulnerable versions	From 2020.2.2 through 2023.2
Vulnerability type (CWE)	Insufficiently Protected Credentials (CWE-522)
Report source	Report to CERT Polska
CVE ID	CVE-2023-4539
Publication date	15 February 2024
Vendor	Comarch SA
Product	Comarch ERP XL
Vulnerable versions	From 2020.2.2 through 2023.2
Vulnerability type (CWE)	Use of Hard-coded Credentials (CWE-798)
Report source	Report to CERT Polska

Description

CERT Polska has received a report about vulnerabilities found in Comarch ERP XL software and participated in coordination of their disclosure. All the vulnerabilities have been confirmed by the vendor and fixed in newer releases.

The vulnerability CVE-2023-4537 allows to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication exposed to data interception and modification.
The vulnerability CVE-2023-4538 is insufficiently protected credentials. The database access credentials configured during installation are stored in a special table, and are encrypted with a shared key, same among all vulnerable Comarch ERP XL installations. This could allow an attacker with access to that table to retrieve plain text passwords.
The vulnerability CVE-2023-4539 allows an attacker to retrieve embedded sensitive data stored in the database. The same, hard-coded password for a special database account is used among all vulnerable Comarch ERP XL installations.

Credits

We thank Marcin Ochab, PhD for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.