ICS-CERT Publishes Two Navis Alerts and Siemens Update

This alert briefly describes a reported SQL injection vulnerability in the Navis WebAccess application. The vulnerability was publicly reported (NOTE: link was not included in ICS-CERT Alert) by bRpsd without prior coordination.

According to ICS-CERT: “WebAccess, is a web-based application that provides the operator and its constituents with real-time, online access to operational logistics information.” There is currently no mention of ‘WebAccess’ on the Navis web site, but there is a brief Navis promo on the Georgia Ports Authority web site that uses WebAccess.

Navis Incident Response Alert

This alert briefly reports that the vulnerability described in the vulnerability Alert has been publicly exploited, noting that the vulnerability “has been exploited against multiple U.S.-based organizations, resulting in data loss”. ICS-CERT reports that NCCIC Scoring System rates these incidents as ‘LOW’, noting: “Is unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.”

Siemens Update

This update updates the list of versions affected by twin vulnerabilities included in the Advisory. It also provides an updated list of links to the updated versions of the affected software.

As noted above, ICS-CERT published this update and announced it on TWITTER® on Tuesday. Siemens, of course, published their ProductCERT update last Thursday; specifically adding “fix information for WinCC V7.2, Route Control and SIMATIC BATCH V8.2”. They announced their update on TWITTER the same day.

Commentary

The incident response alert issued today is the first that I recall seeing from ICS-CERT. According to the blurb on the ICS-CERT landing page describing this alert: “This report is intended to provide awareness to the US Critical Infrastructure community and make available Indicators of Compromise (IOCs) and mitigation recommendations.” This is an important function of ICS-CERT.

Fortunately, this is a relatively low impact vulnerability, at least on the national level. For the individual database owner, this could be costly depending on how much they depend on the ready availability of the database for their (and their customer) operations.

Since this is an SQL injection vulnerability there is not much in the way of ‘indicators or compromise’ for ICS-CERT to share beyond data logging and analysis. While database owners should be doing this anyway (but I suspect very few do), I doubt that this advisory will have much direct effect on the problem in the short run. Hopefully Navis will get an update out quickly and will actively push it to their customers.