Kabona AB WDC Vulnerabilities (Update A)
Act Now9.8ICS-CERT ICSA-16-287-07AJul 17, 2016
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
WebDatorCentral (WDC) versions prior to 3.4.0 contain multiple web application vulnerabilities: reflected cross-site scripting (CWE-79) allows injection of malicious JavaScript; open redirect (CWE-601) enables phishing attacks; weak credential handling (CWE-307) and improper credential storage (CWE-256) may expose authentication material. These flaws are exploitable without authentication from any attacker with network access to the WDC web interface. An attacker could execute arbitrary code in operator browsers, steal session tokens, or redirect users to malicious sites, potentially leading to unauthorized control commands or data theft from the SCADA infrastructure.
What this means
What could happen
An unauthenticated attacker on the network can inject malicious code, steal session credentials, or redirect users to phishing sites through multiple web vulnerabilities in WDC, potentially compromising the supervisory control and monitoring of critical infrastructure systems.
Who's at risk
Water utilities, electrical utilities, and other critical infrastructure operators using Kabona WebDatorCentral for SCADA supervisory control and data collection. This affects any organization relying on WDC for real-time monitoring and command dispatch to remote terminal units (RTUs) and programmable logic controllers (PLCs) in the field.
How it could be exploited
An attacker on the network sends a crafted HTTP request to WDC containing malicious input that exploits reflected cross-site scripting (CWE-79), open redirect (CWE-601), or weak credential handling (CWE-307). The attacker can inject scripts that execute in an operator's browser, steal authentication tokens, or trick users into visiting malicious sites. No authentication is required to trigger the vulnerability.
Prerequisites
- Network access to WDC web interface (HTTP/HTTPS)
- WDC version prior to 3.4.0 installed
- No authentication required to exploit the web vulnerabilities
Remotely exploitableNo authentication requiredLow complexity attackNo patch currently availableAffects critical supervisory control systemsHigh CVSS score (9.8)
Exploitability
Moderate exploit probability (EPSS 1.3%)
Affected products (1)
ProductAffected VersionsFix Status
WebDatorCentral (WDC): <3.4.0<3.4.0No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2HARDENINGIsolate WDC from untrusted networks using firewall rules; restrict HTTP/HTTPS access to authorized engineering workstations and administrative terminals only
WORKAROUNDDeploy a web application firewall (WAF) configured to block reflected XSS and open redirect attacks targeting WDC
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGMonitor WDC access logs for suspicious input patterns (script tags, external redirects) and investigate anomalies
HOTFIXPlan and execute upgrade to WebDatorCentral version 3.4.0 or later during a scheduled maintenance window
Mitigations - no patch available
0/1WebDatorCentral (WDC): <3.4.0 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation: place WDC on a dedicated VLAN separate from production control networks and business networks; use access control lists to limit inbound connections
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8eb521e4-dd90-4551-aa18-8d6dc561cea6