Flaw in Navis WebAccess exposes port authorities to hacking

Aug 23, 2016 16:45 GMT  ·  By

Ports in the US have reported attacks using an SQL injection flaw made public by a hacker known as bRpsd, who released a fully working exploit online without notifying the vendor in advance.

Following these events, ICS-CERT, the US-CERT division in charge of security alerts for industrial control systems (ICS), has issued advisories regarding the vulnerability's existence and the ongoing series of attacks.

The affected application is Navis WebAccess, the Web-based component of the Navis maritime transportation logistics software suite, sold by the Cargotec Corporation.

Hacker dumps fully working Navis SQLi exploit code on Exploit-DB

ICS-CERT says the company became aware of the SQL injection zero-day on August 9, a day after bRpsd published his proof-of-concept code.

The Navis team released a patch on August 10 and started notifying customers. According to Cargotec, there are only 13 companies across the world currently deploying Navis software, five of them in the US.

A quick Google search reveals the Navis panels of at least three US companies. One of the companies that deploy Navis is Ports America, a corporation that manages 42 ports across the US and Canada, in 80 different locations, including large maritime hubs such as New York, Los Angeles, Miami, New Orleans, Boston, Portland, San Diego, Tampa, Vancouver, Houston, Jacksonville, and many more.

The notification didn't come fast enough, and some ports reported attacks using the SQL injection.

Zero-day requires low sophistication to exploit

According to ICS-CERT, "the SQL injection vulnerability [...] targeted publicly available news-pages in the [Navis] application."

ICS-CERT says the exploit requires a low sophistication level to execute, that the SQL injection occurs as part of the URL string, and it occurs due to a flaw in the Navis error reporting system.

ICS-CERT says that all US entities deploying Navis have applied the necessary patches, but has issued the alert, so Cargotec's international customers do the same.

In the meantime, bRpsd's exploit has spread from Exploit-DB, the site it was initially uploaded, to a plethora of other portals hosting proof of concept code for known vulnerabilities.

bRpsd is a very active hacker, with a Zone-H profile of over 1,200 defaced websites. He is also the hacker that hacked the Dark Web portal belonging to the Albanian mafia group called Besa.

One of the Navis WebAccess panels exposed to the Internet
One of the Navis WebAccess panels exposed to the Internet

Photo Gallery (2 Images)

US ports targeted in recent wave of attacks
One of the Navis WebAccess panels exposed to the Internet
Open gallery