Safenet Sentinel and 7-T Input Sanitization Vulnerability

Low RiskICS-CERT ICSA-11-314-01Aug 13, 2011

Summary

Input sanitization vulnerabilities in SafeNet Sentinel HASP SDK (versions prior to 5.11) and Sentinel HASP Run-time installers (versions prior to 6.x), as well as 7 Technologies IGSS version 7, allow cross-site scripting (XSS) attacks via unsanitized input fields. These products are commonly used for license management and industrial control system HMI interfaces. The vendors have not released patches for these vulnerabilities, and CISA recommends implementing defensive measures to minimize exploitation risk.

What this means

What could happen

Cross-site scripting (XSS) vulnerabilities in SafeNet Sentinel HASP SDK and 7-T IGSS could allow an attacker to inject malicious scripts into web interfaces, potentially compromising access to engineering workstations or HMI systems used to manage industrial processes.

Who's at risk

Water utilities and electric utilities using SafeNet Sentinel HASP SDK for license management or 7-T IGSS for HMI/SCADA operations should review their exposure. The risk is highest if these products are internet-facing or accessible from engineering networks where operators manage critical process controls.

How it could be exploited

An attacker could inject malicious JavaScript into input fields in the HASP SDK or IGSS web interface that are not properly sanitized. When an authorized user views the affected page, the injected script executes in their browser, potentially allowing credential theft or unauthorized process control commands.

Prerequisites

Web access to the affected product interface
User interaction required (the victim must visit a page containing the injected payload)

no patch availableinput validation weakness (CWE-79)affects HMI/engineering interfaces

Exploitability

Unlikely to be exploited — EPSS score 0.9%

Affected products (3)

1 pending2 EOL

ProductAffected VersionsFix Status

7 Technologies (7T) IGSS: 77No fix yet

SafeNet Sentinel HASP SDK: <5.11<5.11No fix (EOL)

Sentinel HASP Run-time installers: <6.x<6.xNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate HASP SDK and IGSS systems from untrusted network access using firewalls and network segmentation

HARDENINGRestrict web interface access to authorized engineering workstations only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for suspicious input or script execution on affected systems

WORKAROUNDImplement input validation and output encoding at the application level if possible through configuration changes

CVEs (1)

CVE-2011-3339

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0da020af-cc82-4710-b89c-786ffc91fe29

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.