SIMPLE.ERP MS SQL Protocol Downgrade Vulnerability Allowing Unencrypted Communication
Vulnerability
A vulnerability in SIMPLE.ERP versions 6.20 through 6.30@a03.9 allows for a server-side MS SQL protocol downgrade, leading to unencrypted communication that could be intercepted and modified. This vulnerability could be exploited through a 'Man in the Middle' attack, where the attacker impersonates the server to intercept and alter data. While version 6.30@a03.9 has been patched to enforce encrypted communication, versions 6.20 and 6.25 remain unpatched.
Impact
Exploitation of this vulnerability could result in unencrypted data transmission, allowing for interception and modification of communication between the SIMPLE.ERP client and the MS SQL server.
Remediation
Users can update to SIMPLE.ERP version 6.30@a03.9, which addresses this vulnerability and allows administrators to enforce encrypted communication. Instructions for updating can be found on the SIMPLE.ERP website.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.