Ocean Data Systems Dream Reports XSS and Write Access Violation Vulnerabilities

Low RiskICS-CERT ICSA-12-024-01Oct 27, 2012

Summary

Dream Reports versions prior to 4.0 contain two vulnerabilities: (1) Cross-Site Scripting (XSS) via CWE-79 that allows attackers to inject malicious scripts into reports viewed by users, and (2) a write access violation via CWE-284 that permits attackers to bypass access controls and modify reports and associated data without proper authorization. No patch is currently available from the vendor.

What this means

What could happen

An attacker with network access to Dream Reports could inject malicious scripts that execute in the browsers of users viewing reports, or bypass access controls to modify reports and data without authorization.

Who's at risk

Organizations using Ocean Data Systems Dream Reports for reporting and data visualization should be concerned. This affects any facility using Dream Reports for operational or administrative reporting, including water utilities, electric utilities, and other critical infrastructure that may rely on this software for situational awareness.

How it could be exploited

An attacker sends a crafted URL or embedded malicious code to a user accessing Dream Reports through a web browser. When the user clicks the link or views the affected page, the injected script runs in their browser (XSS), or the attacker directly modifies report data and configurations by exploiting inadequate access control checks.

Prerequisites

Network access to Dream Reports web interface
User must visit a malicious link or view an affected report (for XSS)
No authentication bypass required for write access vulnerability

remotely exploitableXSS allows script execution in user browsersaccess control bypass allows unauthorized modificationno patch available

Exploitability

Moderate exploit probability (EPSS 2.6%)

Affected products (1)

ProductAffected VersionsFix Status

Dream Reports: <4.0<4.0No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict network access to Dream Reports to authorized personnel only using firewall rules or network segmentation

HARDENINGImplement Web Application Firewall (WAF) rules to detect and block XSS payloads targeting Dream Reports

WORKAROUNDDisable or restrict write access functionality in Dream Reports if not required for operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Dream Reports to version 4.0 or later when available from the vendor

CVEs (2)

CVE-2011-4038 CVE-2011-4039

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0aaced7b-2734-482c-94f0-b3ad5f0d8909