A software used in the US ports is affected by a high severity SQL Injection vulnerability (CVE-2016-5817). The flaw was discovered by a hacker behind the online moniker “bRpsd,” the expert has discovered the vulnerability in the Navis WebAccess application, a web-based software that provides transport operators real-time access to operational logistics information.
The Navis WebAccess is a legacy product that is still used by only 13 organizations worldwide, five of them are located in the United States including Georgia Ports Authority, the Port of Virginia, Port of Houston Authority, and Ports America.
“Rpsd” discovered that the Navis WebAccess application ’s publicly accessible news pages are affected by the SQL injection vulnerability that could be exploited by a remote attacker to read or modify data stored in the application’s database.
The patch management was well-timed, the software vendor, Navis, was informed about the vulnerability on August 9, just a day after Rpsd published the PoC exploit. Navis released custom patches on August 10.
The ICS-CERT published a security advisory on the flaw in the Navis WebAccess, it also reported that all customers in the United States have already applied the patched released by the vendor.
“ICS-CERT is aware of a public report of an SQL Injection vulnerability with proof-of-concept (PoC) exploit code affecting the Navis WebAccess application. This report was released by “bRpsd” without coordination with either the vendor or ICS-CERT. ICS-CERT has reached out to Navis who has validated the reported vulnerability. Navis has produced custom patches to mitigate this vulnerability.” states the advisory.
The bad news is that according to the ICS-CERT, the SQL Injection vulnerability has been exploited against multiple US-based organizations allowing attackers to steal data.
“ICS-CERT is aware of a public report of SQL Injection vulnerability with proof-of-concept (PoC) exploit code affecting the Navis WebAccess application. This vulnerability has been exploited against multiple U.S.-based organizations, resulting in data loss.” states a security alert issued by the ICS-CERT.
Transportation systems are critical infrastructure, this means that its protection is vital for the country. The ICS-CERT alert also includes indicators of compromise (IoC) and suggestions to mitigate the risk of exposure.
The vulnerability has been assigned an NCCIC Cyber Incident Scoring System (NCISS) rating of “low.”
(Security Affairs – US Ports, critical infrastructure)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.