Navis WebAccess SQL Injection Vulnerability

Monitor7.3ICS-CERT ICSA-16-231-01May 22, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Navis WebAccess contains a SQL injection vulnerability in web-accessible input fields. An unauthenticated attacker over the network could inject SQL commands to read, modify, or delete data from the underlying database, potentially affecting historical process data, alarm logs, configuration records, and user credentials stored in the application database.

What this means

What could happen

An attacker could inject SQL commands into the WebAccess database without credentials, potentially reading or modifying operational data, alarm logs, or configuration settings that may affect plant visibility and control.

Who's at risk

This affects users of Navis WebAccess, a web-based SCADA monitoring and data visualization platform commonly deployed in water systems, power utilities, and industrial facilities for real-time process monitoring, historical trending, and alarm management.

How it could be exploited

An attacker on the network sends a crafted HTTP request with SQL injection payload in an input field that is not properly validated by WebAccess. The injected SQL executes against the backend database, allowing the attacker to query, insert, update, or delete data depending on database permissions.

Prerequisites

Network access to the Navis WebAccess web interface (typically port 80 or 443)
No valid credentials required
Input field vulnerable to SQL injection must be accessible in the web application

Remotely exploitableNo authentication requiredLow complexityNo patch availableWeb-accessible interface increases exposure

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

Navis WebAccess: <August-10-2016<August-10-2016No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to Navis WebAccess to authorized engineering workstations and administration computers only using firewall rules and network segmentation.

WORKAROUNDDisable or restrict access to Navis WebAccess from the internet and untrusted networks.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to a patched version of Navis WebAccess or migrate to an alternative monitoring solution that receives active vendor support.

Mitigations - no patch available

0/2

Navis WebAccess: <August-10-2016 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor database access logs and query patterns for anomalous SQL commands or large data transfers.

HARDENINGImplement web application firewall (WAF) rules to detect and block common SQL injection patterns in HTTP requests.

CVEs (1)

CVE-2016-5817

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a0c179ea-3f03-4c6c-901e-2db35c310516