An application used in the transportation sector worldwide is plagued by a high severity SQL injection vulnerability. The hacker who discovered the issue released a proof-of-concept (PoC) exploit without informing the vendor and ICS-CERT says the flaw has already been exploited against organizations in the United States.
The vulnerable application is Navis WebAccess, a web-based app that provides transport operators real-time access to operational logistics information.
A hacker who uses the online moniker “bRpsd” discovered that the product’s publicly accessible news pages are plagued by a SQL injection vulnerability (CVE-2016-5817) that allows a remote attacker to read or modify data stored in the application’s SQL database.
Navis, a subsidiary of Cargotec Corporation, learned about the vulnerability on August 9, one day after the hacker published the PoC exploit. Custom patches for this flaw were released by the vendor on August 10.
Navis WebAccess is a legacy product that is used by only 13 organizations around the world, including five in the United States. An online search conducted by SecurityWeek shows that the application is present on the websites of the Georgia Ports Authority, the Port of Virginia, Port of Houston Authority, and Ports America. WebAccess is also accessible on the website of a port in India.
According to ICS-CERT, the vendor has contacted all the affected customers and the patches have been applied by all customers in the United States. However, the agency pointed out that the vulnerability has been exploited against multiple US-based organizations, resulting in data loss.
Since transportation systems is one of the 16 critical infrastructure sectors, ICS-CERT has published a security alert to warn the critical infrastructure community in the U.S., and provide indicators of compromise (IoC) and mitigation advice.
The vulnerability has been assigned an NCCIC Cyber Incident Scoring System (NCISS) rating of “low,” which indicates that the issue is unlikely to have an impact on public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
The Zone-H defacement database shows that the hacker bRpsd has defaced more than 1,200 random websites since mid-2014. He has also published exploits for a handful of applications.
Related: Learn More at SecurityWeek’s 2016 ICS Cyber Security Conference
