A severe SQL injection vulnerability affecting the Navis WebAcess application affects 13 organizations port authorities and logistics operators worldwide. The exploit has been utilized by malicious users to steal sensitive data.
Navis WebAcess is a legacy application that is still used by transport systems around the globe
The Navis WebAcess application that is used by marine port and transport operators is vulnerable to a serious SQL injection exploit. The issue was recently discovered by a hacker under the alias “bRpsd”. WebAcess is a web-based application by Cargotec that provides the operators and its agent’s real-time online access to logistics information.
The SQL injection allows remote attackers to compromise the database and gain access to all stored data. As the tables contain the stolen, information can potentially be used for malicious purposes. The CVE-2016-5817 ID has been assigned to the security issue. According to the public advisory exploits are available on the Internet, and even criminals with low skills can employ the exploit.
Security experts suggest the following measures to minimize the risks:
- Minimization of the privileges assigned to each account of the SQL database.
- Minimization of network exposure for all control systems and isolation.
- Isolation of security defenses such as network firewalls and intrusion detection systems to maximize their potential.
- Usage of VPN and other secure options for remote access.
Transportation systems are defined as critical infrastructure, which makes them one of the most important assets in national security. Affected American users include Georgia Ports Authority, the Port of Virginia, Port of Houston Authority and Ports America. The hacker has demonstrated successful attacks by defacing more than 1200 sites since 2014. After the disclosure was reported to the vendor, a patch for the affected version has been issued.