SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-716045688] Moxa SoftCMS SQL Injection Vulnerability

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2016-08-02CMSMoxa SoftCMSZhou YuN/A2016-5792N/AN/AN/A

Source

						
							
								
#
# Moxa SoftCMS SQL Injection Vulnerability
#


### OVERVIEW

Zhou Yu of Acorn Network Security has identified a SQL injection vulnerability in Moxa's SoftCMS. ZDI reported this vulnerability to ICS-CERT. Moxa has produced an update to mitigate this vulnerability.

This vulnerability could be exploited remotely.




### AFFECTED PRODUCTS

Moxa reports that the vulnerability affects the following products:
SoftCMS versions prior to Version 1.5






### IMPACT

A successful exploit of this vulnerability could allow an attacker to execute arbitrary commands on the target system.

Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.






### BACKGROUND

Moxa is a Taiwan-based company that maintains offices in several countries around the world, including the US, UK, India, Germany, France, China, Russia, and Brazil.

The affected product, SoftCMS, is a central management software that manages large scale surveillance systems. According to Moxa, SoftCMS is deployed across several sectors including Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems, and others. Moxa estimates that these products are used primarily in the United States and Europe with a small percentage in Asia.





### VULNERABILITY CHARACTERIZATION


# VULNERABILITY OVERVIEW

SQL INJECTION

SoftCMS does not properly sanitize input fields, allowing an attacker to access the product by specially crafting the input.

CVE-2016-5792 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).





### VULNERABILITY DETAILS


# EXPLOITABILITY

This vulnerability could be exploited remotely.


# EXISTENCE OF EXPLOIT

No known public exploits specifically target this vulnerability.


# DIFFICULTY

An attacker with a low skill would be able to exploit this vulnerability.





### MITIGATION

Moxa's suggested mitigation is to update the application (SoftCMS v1.5), which is available for download from Moxa's web site at the following link:
http://www.moxa.com/support/download.aspx?type=support&id=11362