Today the DHS ICS-CERT published an advisory for the SQL injection vulnerability reported yesterday by ICS-CERT in an alert concerning an uncoordinated public disclosure about the vulnerability in the Navis WebAccess application. Today’s advisory reports that Navis has produced” custom patches to mitigate this vulnerability”. There is no indication that bRpsd, the researcher who published the vulnerability, has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to compromise the confidentiality, integrity, and availability of the SQL database. A separate incident response Alert published yesterday reports that there have been multiple live exploits of this vulnerability.
There is a very interesting explanation in the Mitigation section of this advisory that I am repeating here:
“Navis reports that they have released custom patches on August 10, 2016, for the Navis WebAccess application, which is a legacy product that is in use by thirteen customers around the world, five of which are in the United States. The SQL injection vulnerability, which targeted publicly available news-pages in the application, was brought to Navis’ attention on August 9, 2016. Navis reports that they have contacted all their affected customers and that all customers in the United States have implemented the fix.”
This is a remarkably quick response to a vulnerability in an extremely low volume legacy product. An SQL injection vulnerability should be relatively easy to fix, but a one-day turnaround from a vendor is commendable and should set the standard for the industry.