-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Advisory ID: SYSS-2018-042 Product: Netbiter WS100 Manufacturer: HMS Industrial Networks AB Affected Version(s): 3.30.5 <= Tested Version(s): 3.30.5 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Low Solution Status: Fixed Manufacturer Notification: 2018-11-29 Solution Date: 2018-12-20 Public Disclosure: 2019-01-11 CVE Reference: CVE-2018-19694 Authors of Advisory: Micha Borrmann (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Netbiter WS100 is a remote management solution for industrial control (e.g. emergency generators) (see [1]). Due to improper input validation, the web-based remote management solution is vulnerable to reflected cross-site scripting attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The login form reflects values from parameters without any kind of filtering or escaping. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following attack vector exemplarily demonstrates the described reflected cross-site scripting vulnerability: http://$TARGET/cgi-bin/write.cgi?page=%22;document.write(%27%3Ch1%3EXSS%20Demonstration%3C/h1%3E%27)// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Install the provided security patch (see [2]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2018-11-29: Detection of the vulnerability 2018-11-29: CVE number assigned 2018-12-03: Vulnerability reported to manufacturer 2018-12-20: Security patch was released from the vendor 2019-01-11: Public release of the security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product web site https://www.netbiter.com/support/file-doc-downloads/netbiter-ws100 [2] HMS Security Advisory Report HMSSAR-2018-12-04-001 https://www.hms-networks.com/docs/librariesprovider6/cybersecurity/hms-security-advisory-2018-12-04-001-ec150-ec250-lc310-lc350-ws100-ws200-cve-2018-19694.pdf [3] SySS Security Advisory SYSS-2018-042 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-042.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Micha Borrmann of SySS GmbH. E-Mail: micha.borrmann (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAlw4ozcACgkQ7b4m5xTq WHbO4g//eCR/3uDF5Kr8G5Iybj8SkDbZVtkvvgX6E4NWKUEYC43F2buLtDqeei7k CiELScdzz7n0SDhmbZLG9NT5Luo9Uu62bDfVejm9c6zLug0VftvX280HyPK51oxf c3lX7mo5ZClq+Uj0UW/Pr4yZHhTEipySpRAOa1IM2VQqSN2tGThD/IOycZa3FmaL qk5h+H+hIZKBhFGuowFhNULouP076l6ib66K/v6yXTO6BkcHNiHToUAWkoRuQ0rB LEikXeAZqmv7DfKRwLhGJWzga4YDOQN0BCoVDtEzgpgf3ogyvwNMKnq5WxylfLn/ T2q8w4jvCmoPtQPRtW1IHGloMngso9O1bXBKzLAbS4EP/RJYzI8iazKVr7x9gpv0 7bw9+lQ9McMLLAiGgkJgMcWOjtaZpB+T5XegVbTjk/4g3kP6XCY8ZA4cvqxQ/QM5 4X5m5bk48ZW/agIqB+a8LzQdtQhFhITZ62eLO13Qmq7vEdIhTx6I1LmIIcICelyQ pY0aRtMcXePGZOSiO/gqO50L1giA4BjwUOtSekvpt0XP/D4thruUajEK+4hnvazP eX9bzseBj5gkaYGEBkj3adKK/AK9GALCwhj4UMvSlUA7uhMRUDZxErCZwUrVt9xB TM0wQddZ5TFCWy22WONVd2+I53WqU+FZbP/Ygv+S0o22nHM++4E= =TBoG -----END PGP SIGNATURE-----