Today the DHS ICS-CERT published an
advisory for the SQL injection vulnerability reported
yesterday by ICS-CERT in an alert concerning an uncoordinated public
disclosure about the vulnerability in the Navis WebAccess application. Today’s
advisory reports that Navis has produced” custom patches to mitigate this
vulnerability”. There is no indication that bRpsd, the researcher who published the vulnerability,
has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit the vulnerability to compromise the confidentiality,
integrity, and availability of the SQL database. A separate incident response
Alert published yesterday reports that there have been multiple live
exploits of this vulnerability.
There is a very interesting explanation in the Mitigation
section of this advisory that I am repeating here:
“Navis reports that they have
released custom patches on August 10, 2016, for the Navis WebAccess
application, which is a legacy product that is in use by thirteen customers
around the world, five of which are in the United States. The SQL injection
vulnerability, which targeted publicly available news-pages in the application,
was brought to Navis’ attention on August 9, 2016. Navis reports that
they have contacted all their affected customers and that all customers in the
United States have implemented the fix.”
This is a remarkably quick response to a vulnerability in an
extremely low volume legacy product. An SQL injection vulnerability should be
relatively easy to fix, but a one-day turnaround from a vendor is commendable
and should set the standard for the industry.
Posts
No comments:
Post a Comment