Navis WebAccess app used by US Ports is affected by a SQL injection flaw

The Navis WebAccess application used in the transportation sector worldwide is affected by a high severity SQL injection vulnerability.

A software used in the US ports is affected by a high severity SQL Injection vulnerability (CVE-2016-5817). The flaw was discovered by a hacker behind the online moniker “bRpsd,” the expert has discovered the vulnerability in the Navis WebAccess application, a web-based software that provides transport operators real-time access to operational logistics information.

The Navis WebAccess is a legacy product that is still used by only 13 organizations worldwide, five of them are located in the United States including Georgia Ports Authority, the Port of Virginia, Port of Houston Authority, and Ports America.

“Rpsd” discovered that the Navis WebAccess application ’s publicly accessible news pages are affected by the SQL injection vulnerability that could be exploited by a remote attacker to read or modify data stored in the application’s database.

The hacker bRpsd has defaced more than 1,200 websites since 2014, he is known for its abilities for developing exploits for multiple applications.

The patch management was well-timed, the software vendor, Navis, was informed about the vulnerability on August 9, just a day after Rpsd published the PoC exploit. Navis released custom patches on August 10.

The ICS-CERT published a security advisory on the flaw in the Navis WebAccess, it also reported that all customers in the United States have already applied the patched released by the vendor.

“ICS-CERT is aware of a public report of an SQL Injection vulnerability with proof-of-concept (PoC) exploit code affecting the Navis WebAccess application. This report was released by “bRpsd” without coordination with either the vendor or ICS-CERT. ICS-CERT has reached out to Navis who has validated the reported vulnerability. Navis has produced custom patches to mitigate this vulnerability.” states the advisory.

The bad news is that according to the ICS-CERT, the SQL Injection vulnerability has been exploited against multiple US-based organizations allowing attackers to steal data.

“ICS-CERT is aware of a public report of SQL Injection vulnerability with proof-of-concept (PoC) exploit code affecting the Navis WebAccess application. This vulnerability has been exploited against multiple U.S.-based organizations, resulting in data loss.” states a security alert issued by the ICS-CERT.

Transportation systems are critical infrastructure, this means that its protection is vital for the country. The ICS-CERT alert also includes indicators of compromise (IoC) and suggestions to mitigate the risk of exposure.

The vulnerability has been assigned an NCCIC Cyber Incident Scoring System (NCISS) rating of “low.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – US Ports, critical infrastructure)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.