Kabona AB WDC Vulnerabilities (Update A)

Plan PatchCVSS 9.8ICS-CERT ICSA-16-287-07AJul 17, 2016

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

WebDatorCentral (WDC) versions prior to 3.4.0 contain multiple web application vulnerabilities: reflected cross-site scripting (CWE-79) allows injection of malicious JavaScript; open redirect (CWE-601) enables phishing attacks; weak credential handling (CWE-307) and improper credential storage (CWE-256) may expose authentication material. These flaws are exploitable without authentication from any attacker with network access to the WDC web interface. An attacker could execute arbitrary code in operator browsers, steal session tokens, or redirect users to malicious sites, potentially leading to unauthorized control commands or data theft from the SCADA infrastructure.

What this means

What could happen

An unauthenticated attacker on the network can inject malicious code, steal session credentials, or redirect users to phishing sites through multiple web vulnerabilities in WDC, potentially compromising the supervisory control and monitoring of critical infrastructure systems.

Who's at risk

Water utilities, electrical utilities, and other critical infrastructure operators using Kabona WebDatorCentral for SCADA supervisory control and data collection. This affects any organization relying on WDC for real-time monitoring and command dispatch to remote terminal units (RTUs) and programmable logic controllers (PLCs) in the field.

How it could be exploited

An attacker on the network sends a crafted HTTP request to WDC containing malicious input that exploits reflected cross-site scripting (CWE-79), open redirect (CWE-601), or weak credential handling (CWE-307). The attacker can inject scripts that execute in an operator's browser, steal authentication tokens, or trick users into visiting malicious sites. No authentication is required to trigger the vulnerability.

Prerequisites

Network access to WDC web interface (HTTP/HTTPS)
WDC version prior to 3.4.0 installed
No authentication required to exploit the web vulnerabilities

Remotely exploitableNo authentication requiredLow complexity attackNo patch currently availableAffects critical supervisory control systemsHigh CVSS score (9.8)

Exploitability

Unlikely to be exploited — EPSS score 0.9%

Affected products (1)

ProductAffected VersionsFix Status

WebDatorCentral (WDC): <3.4.0<3.4.0No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGIsolate WDC from untrusted networks using firewall rules; restrict HTTP/HTTPS access to authorized engineering workstations and administrative terminals only

WORKAROUNDDeploy a web application firewall (WAF) configured to block reflected XSS and open redirect attacks targeting WDC

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor WDC access logs for suspicious input patterns (script tags, external redirects) and investigate anomalies

HOTFIXPlan and execute upgrade to WebDatorCentral version 3.4.0 or later during a scheduled maintenance window

Mitigations - no patch available

0/1

WebDatorCentral (WDC): <3.4.0 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation: place WDC on a dedicated VLAN separate from production control networks and business networks; use access control lists to limit inbound connections

CVEs (4)

CVE-2016-8356 CVE-2016-8376 CVE-2016-8347 CVE-2016-0872

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8eb521e4-dd90-4551-aa18-8d6dc561cea6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.