OTPulse
FeedAboutContact

OPW Fuel Management Systems SiteSentinel Integra and SiteSentinel iSite

Act Now9.8ICS-CERT ICSA-17-243-04Aug 31, 2017
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

OPW's SiteSentinel Integra and SiteSentinel iSite fuel management systems contain multiple vulnerabilities (CWE-306 missing authentication, CWE-89 SQL injection) that allow unauthenticated remote attackers to execute arbitrary SQL commands, gain unauthorized access to fuel inventory and transaction data, and potentially modify system configurations. All versions through at least V195 and V16Q3.1 are affected. No patches are available from the vendor.

What this means
What could happen
An unauthenticated attacker on the network can run SQL commands directly against the fuel management database, allowing them to view or alter fuel inventory records, transaction data, customer billing information, and potentially manipulate pump configurations or disable monitoring of fuel deliveries and sales.
Who's at risk
Fuel station operators and fuel supply chain management companies using OPW SiteSentinel Integra or iSite systems are affected. These systems manage fuel inventory, pump operations, and customer billing at retail fuel stations and fuel distribution facilities. Any organization relying on this system for fuel accountability and operational control should assess their exposure.
How it could be exploited
An attacker crafts a network request to the SiteSentinel web interface without valid credentials, injecting SQL commands into an input field. The application passes the malicious input directly to the database without validation or parameterization, allowing the attacker to read, modify, or delete data from the fuel management database.
Prerequisites
  • Network access to the SiteSentinel Integra or iSite web interface port
  • No credentials required
  • Ability to craft HTTP requests with SQL injection payloads
remotely exploitableno authentication requiredlow complexityno patch availableSQL injection allows data manipulation
Exploitability
Moderate exploit probability (EPSS 1.3%)
Affected products (4)
4 pending
ProductAffected VersionsFix Status
SiteSentinel Integra and SiteSentinel iSite: V191-V195V191-V195No fix yet
SiteSentinel Integra and SiteSentinel iSite: V175-V189V175-V189No fix yet
SiteSentinel Integra and SiteSentinel iSite: Older than V175< V175No fix yet
SiteSentinel Integra and SiteSentinel iSite: V16Q3.1V16Q3.1No fix yet
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGIsolate SiteSentinel systems from untrusted networks using a firewall; permit only known fuel delivery, accounting, and internal management systems to connect on the management interface port
HARDENINGImplement network segmentation to separate the fuel management system from general corporate networks and the internet
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor database activity for SQL injection patterns or unusual queries against fuel inventory and transaction tables
Long-term hardening
0/1
WORKAROUNDContact OPW Sales for migration path to newer systems; no patches are available for current versions
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/c1b6d1ab-38c5-4136-a54b-4d0d168af767
OPW Fuel Management Systems SiteSentinel Integra and SiteSentinel iSite | CVSS 9.8 - OTPulse