Advisory ID: SYSS-2018-042 Product: Netbiter WS100 Manufacturer: HMS Industrial Networks AB Affected Version(s): 3.30.5 <= Tested Version(s): 3.30.5 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Low Solution Status: Fixed Manufacturer Notification: 2018-11-29 Solution Date: 2018-12-20 Public Disclosure: 2019-01-11 CVE Reference: CVE-2018-19694 Authors of Advisory: Micha Borrmann (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Netbiter WS100 is a remote management solution for industrial control (e.g. emergency generators) (see [1]). Due to improper input validation, the web-based remote management solution is vulnerable to reflected cross-site scripting attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The login form reflects values from parameters without any kind of filtering or escaping. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following attack vector exemplarily demonstrates the described reflected cross-site scripting vulnerability: http://$TARGET/cgi-bin/write.cgi?page=%22;document.write(%27%3Ch1%3EXSS%20Demonstration%3C/h1%3E%27)// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Install the provided security patch (see [2]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-11-29: Detection of the vulnerability 2018-11-29: CVE number assigned 2018-12-03: Vulnerability reported to manufacturer 2018-12-20: Security patch was released from the vendor 2019-01-11: Public release of the security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product web site https://www.netbiter.com/support/file-doc-downloads/netbiter-ws100 [2] HMS Security Advisory Report HMSSAR-2018-12-04-001 https://www.hms-networks.com/docs/librariesprovider6/cybersecurity/hms-security-advisory-2018-12-04-001-ec150-ec250-lc310-lc350-ws100-ws200-cve-2018-19694.pdf [3] SySS Security Advisory SYSS-2018-042 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-042.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Micha Borrmann of SySS GmbH. E-Mail: micha.borrmann (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en