Navis Mitigates SQL Vulnerability

Friday, August 19, 2016 @ 04:08 PM gHale


Navis created custom patches to mitigate a SQL Injection vulnerability with proof-of-concept (PoC) exploit code affecting its WebAccess application, according to a report with ICS-CERT.

The vulnerability report ended up released by “bRpsd” without coordination with either the vendor or ICS-CERT.

RELATED STORIES
Navis WebAccess SQL Injection Hole
Rockwell Strategies to Fix SNMP Hole
Moxa Clears SQL Injection Hole
Siemens SINEMA Server Hole

Exploits that target this remotely exploitable vulnerability are publicly available.

Navis WebAccess, all versions released prior to August 10 suffer from the issue.

Successful exploitation of the vulnerability may allow a remote attacker to compromise the confidentiality, integrity, and availability of the SQL database.

Navis, a subsidiary of Cargotec Corporation, is a United States-based company that has customers worldwide.

The affected product, WebAccess, is a web-based application that provides the operator and its constituents with real-time, online access to operational logistics information. WebAccess sees action across the transportation sector. Navis said these products see use on a global basis.

The WebAccess application does not properly sanitize input that may allow a remote attacker to read, modify, and affect availability of data in the SQL database.

CVE-2016-5817 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

An attacker with low skill would be able to exploit this vulnerability.

Navis said they released custom patches on August 10 for its WebAccess application, which is a legacy product in use by thirteen customers around the world, five of which are in the United States.

The SQL injection vulnerability, which targeted publicly available news-pages in the application, was brought to Navis’ attention on August 9. Navis said they contacted all their affected customers and all customers in the United States have implemented the fix.

Navis recommends all WebAccess users should install the available patch as soon as possible.

In the event a Navis customer has questions regarding this issue, they are encouraged to contact customer support through the Navis Collaboration Portal.