Mercator SENTINEL SQL injection allows authentication bypass

2011-09-15T00:00:00
ID VU:122142
Type cert
Reporter CERT
Modified 2012-05-10T15:06:00

Description

Overview

Mercator SENTINEL contains an SQL injection vulnerability that could allow an attacker to bypass authentication and access the system with administrative privileges.

Description

Mercator SENTINEL is a flight safety management system. The login form of the web interface contains an SQL injection vulnerability. Please see CERT-NPS:2011:005 for more information.


Impact

An attacker with network access to the SENTINEL web interface could access the system with administrative privileges.


Solution

Upgrade

Credible information indicates that this vulnerability is addressed in SENTINEL version 2.0.1.0.


Restrict access

Restrict access to the SENTINEL web interface to trusted users and networks.


Vendor Information

122142

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

__ Mercator

Notified: June 22, 2011 Updated: October 14, 2011

Status

__ Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Credible information indicates that this vulnerability is addressed in SENTINEL version 2.0.1.0.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 9.7 | AV:N/AC:L/Au:N/C:C/I:C/A:P
Temporal | 7.9 | E:F/RL:W/RC:UC
Environmental | 2.1 | CDP:LM/TD:L/CR:ND/IR:ND/AR:ND

References

  • <http://cert.netpeas.org/2011/06/cert-nps2011005-vulnerabilite-potentielle-dans-la-solution-de-gestion-de-la-securite-operationnelle-des-compagnies-aeriennes-%C2%AB-sentinel-safety-information-management-system-%C2%BB/>
  • <http://cert.netpeas.org/2011/06/cert-nps2011005-vulnerabilite-potentielle-dans-la-solution-de-gestion-de-la-securite-operationnelle-des-compagnies-aeriennes-suite/>
  • <http://www.mercator.com/customers/CustMap/customermap.html>
  • <http://cwe.mitre.org/data/definitions/89.html>

Credit

Thanks to CERT-NETPEAS for reporting this vulnerability. Thanks also to ICS-CERT and aeCERT for their assistance.

This document was written by Art Manion.

Other Information

CVE IDs: | CVE-2011-1913
---|---
Severity Metric:** | 1.22
Date Public:
| 2011-06-20
Date First Published: | 2011-09-15
Date Last Updated: | 2012-05-10 15:06 UTC
Document Revision: | 15