Navis WebAccess SQL Injection Hole

Thursday, August 18, 2016 @ 03:08 PM gHale


There is a report of SQL Injection vulnerability with proof-of-concept (PoC) exploit code affecting the Navis WebAccess application, according to a report from ICS-CERT.

This remotely exploitable vulnerability ended up exploited against multiple U.S.-based organizations, resulting in data loss.

RELATED STORIES
Rockwell Strategies to Fix SNMP Hole
Moxa Clears SQL Injection Hole
Siemens SINEMA Server Hole
Rockwell Clears FactoryTalk Vulnerabilities

There is a campaign of activity affecting maritime transportation sector members, according to ICS-CERT, which wants to provide awareness to critical infrastructure organizations along with making available indicators of compromise (IoCs) and mitigation recommendations.

Successful exploitation of the vulnerability may allow a remote attacker to compromise the confidentiality, integrity, and availability of the SQL database. There is a direct threat to the data stored within the system as well as systems that may be related to and/or depend on the system in question.

The National Cybersecurity & Communications Integration Center (NCCIC) Cyber Incident Scoring System (NCISS) rating is 45, which garners a green/low rating.

A low rating means it is unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence, according to NCCIC.

This report ended up released by “bRpsd” without coordination with either the vendor or ICS-CERT.

The affected product, WebAccess, is a web-based application that provides the operator and its constituents with real-time, online access to operational logistics information. The WebAccess application sees action across the transportation sector. These products see use on a global basis

The exploit code publicly released, and requires a low sophistication to execute. The application does not properly sanitize input that may allow a remote attacker to read and modify data in the SQL database

Initial detection of the attack may end up recognized in the logs of the web application server as well as the database logs. Further investigation will show manipulated URL input and resulting database queries within the database logs.

Anyone running the related software should increase the level of logging and be alert to error conditions pertaining to the application.

ICS-CERT is currently reaching out to the vendor to identify mitigations. Click here for more details about the vulnerability.