Navis WebAccess app used by US Ports is affected by a SQL injection flaw

The Navis WebAccess application used in the transportation sector worldwide is affected by a high severity SQL injection vulnerability.

A software used in the US ports is affected by a high severity SQL Injection vulnerability (CVE-2016-5817). The flaw was discovered by a hacker behind the online moniker “bRpsd,” the expert has discovered the vulnerability in the Navis WebAccess application, a web-based software that provides transport operators real-time access to operational logistics information.

The Navis WebAccess is a legacy product that is still used by only 13 organizations worldwide, five of them are located in the United States including Georgia Ports Authority, the Port of Virginia, Port of Houston Authority, and Ports America.

“Rpsd” discovered that the Navis WebAccess application ’s publicly accessible news pages are affected by the SQL injection vulnerability that could be exploited by a remote attacker to read or modify data stored in the application’s database.

The hacker bRpsd has defaced more than 1,200 websites since 2014, he is known for its abilities for developing exploits for multiple applications.

The patch management was well-timed, the software vendor, Navis, was informed about the vulnerability on August 9, just a day after Rpsd published the PoC exploit. Navis released custom patches on August 10.

The ICS-CERT published a security advisory on the flaw in the Navis WebAccess, it also reported that all customers in the United States have already applied the patched released by the vendor.

“ICS-CERT is aware of a public report of an SQL Injection vulnerability with proof-of-concept (PoC) exploit code affecting the Navis WebAccess application. This report was released by “bRpsd” without coordination with either the vendor or ICS-CERT. ICS-CERT has reached out to Navis who has validated the reported vulnerability. Navis has produced custom patches to mitigate this vulnerability.” states the advisory.

The bad news is that according to the ICS-CERT, the SQL Injection vulnerability has been exploited against multiple US-based organizations allowing attackers to steal data.

“ICS-CERT is aware of a public report of SQL Injection vulnerability with proof-of-concept (PoC) exploit code affecting the Navis WebAccess application. This vulnerability has been exploited against multiple U.S.-based organizations, resulting in data loss.” states a security alert issued by the ICS-CERT.

Transportation systems are critical infrastructure, this means that its protection is vital for the country. The ICS-CERT alert also includes indicators of compromise (IoC) and suggestions to mitigate the risk of exposure.

The vulnerability has been assigned an NCCIC Cyber Incident Scoring System (NCISS) rating of “low.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – US Ports, critical infrastructure)