Aveva eDNA Enterprise Data Historian ednareporting.asmx Multiple SQL injection Vulnerabilities

2020-09-23T00:00:00
ID TALOS-2020-1108
Type talos
Reporter Talos Intelligence
Modified 2020-09-23T00:00:00

Description

Talos Vulnerability Report

TALOS-2020-1108

Aveva eDNA Enterprise Data Historian ednareporting.asmx Multiple SQL injection Vulnerabilities

September 23, 2020
CVE Number

CVE-2020-13503, CVE-2020-13504, CVE-2020-13505, CVE-2020-13521

Summary

Multiple SQL injection vulnerabilities exists in the ednareporting.asmx web service functionality of eDNA Enterprise Data Historian 3.0.1.2/7.5.4989.33053. Specially crafted SOAP web requests can cause SQL injections resulting in data compromise. An attacker can send unauthenticated HTTP requests to trigger these vulnerabilities.

Tested Versions

Aveva eDNA Enterprise Data Historian 3.0.1.2/7.5.4989.33053

Product URLs

<https://sw.aveva.com/asset-performance/industrial-information-management/enterprise-data-management>

CVSSv3 Score

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Details

.eDNA Enterprise Data Historian is highly scalable software platform that efficiently archives and quickly retrieves time-series data in business and operational environments.

Multiple SQL injection vulnerabilities exist within the web service as an unauthenticated user. A successful attack could allow an unauthenticated attacker to access information such as usernames and password hashes that are stored in the database.

CVE-2020-13503 - Parameter AttFilterName

Parameter AttFilterName in ednareporting.asmx is vulnerable to unauthenticated SQL injection attacks:

POST /webservice/ednareporting.asmx HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "http://instepsoftware/webservice/GetClassAttributeCVReportbyAttValueFilter"
User-Agent: agent
Host: [IP]
Content-Length: 911

&lt;soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://instepsoftware/webservice"&gt;
  &lt;soapenv:Header/&gt;
  &lt;soapenv:Body&gt;
     &lt;web:GetClassAttributeCVReportbyAttValueFilter&gt;
        &lt;web:psInstance&gt;1a&lt;/web:psInstance&gt;
        &lt;web:psClass&gt;1b&lt;/web:psClass&gt;
        &lt;web:psAttribute&gt;1c&lt;/web:psAttribute&gt;
        &lt;web:FilterMin&gt;aa&lt;/web:FilterMin&gt;
        &lt;web:FilterMax&gt;aab&lt;/web:FilterMax&gt;
        &lt;web:AttFilterName&gt;(SQL INJECTION)&lt;/web:AttFilterName&gt;
        &lt;web:AttFilterValue&gt;aabc&lt;/web:AttFilterValue&gt;
     &lt;/web:GetClassAttributeCVReportbyAttValueFilter&gt;
  &lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;

CVE-2020-13504 - Parameter AttFilterValue

Parameter AttFilterValue in ednareporting.asmx is vulnerable to unauthenticated SQL injection attacks:

POST /webservice/ednareporting.asmx HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "http://instepsoftware/webservice/GetClassAttributeCVReportbyAttValueFilter"
User-Agent: agent
Host: [IP]
Content-Length: 911

&lt;soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://instepsoftware/webservice"&gt;
  &lt;soapenv:Header/&gt;
  &lt;soapenv:Body&gt;
     &lt;web:GetClassAttributeCVReportbyAttValueFilter&gt;
        &lt;web:psInstance&gt;1a&lt;/web:psInstance&gt;
        &lt;web:psClass&gt;1b&lt;/web:psClass&gt;
        &lt;web:psAttribute&gt;1c&lt;/web:psAttribute&gt;
        &lt;web:FilterMin&gt;aa&lt;/web:FilterMin&gt;
        &lt;web:FilterMax&gt;aab&lt;/web:FilterMax&gt;
        &lt;web:AttFilterName&gt;aabcd&lt;/web:AttFilterName&gt;
        &lt;web:AttFilterValue&gt;(SQL INJECTION)&lt;/web:AttFilterValue&gt;
     &lt;/web:GetClassAttributeCVReportbyAttValueFilter&gt;
  &lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;

CVE-2020-13505 - Parameter psClass

Parameter psClass in ednareporting.asmx is vulnerable to unauthenticated SQL injection attacks:

POST /webservice/ednareporting.asmx HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "http://instepsoftware/webservice/GetClassAttributeCVReportbyAttValueFilter"
User-Agent: agent
Host: [IP]
Content-Length: 911

&lt;soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://instepsoftware/webservice"&gt;
  &lt;soapenv:Header/&gt;
  &lt;soapenv:Body&gt;
     &lt;web:GetClassAttributeCVReportbyAttValueFilter&gt;
        &lt;web:psInstance&gt;1a&lt;/web:psInstance&gt;
        &lt;web:psClass&gt;(SQL INJECTION)&lt;/web:psClass&gt;
        &lt;web:psAttribute&gt;1c&lt;/web:psAttribute&gt;
        &lt;web:FilterMin&gt;aa&lt;/web:FilterMin&gt;
        &lt;web:FilterMax&gt;aab&lt;/web:FilterMax&gt;
        &lt;web:AttFilterName&gt;aabcd&lt;/web:AttFilterName&gt;
        &lt;web:AttFilterValue&gt;aabc&lt;/web:AttFilterValue&gt;
     &lt;/web:GetClassAttributeCVReportbyAttValueFilter&gt;
  &lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;

CVE-2020-13506 - Parameter psInstance

Parameter psInstance in ednareporting.asmx is vulnerable to unauthenticated SQL injection attacks:

POST /webservice/ednareporting.asmx HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "http://instepsoftware/webservice/GetClassAttributeCVReportbyAttValueFilter"
User-Agent: agent
Host: [IP]
Content-Length: 911

&lt;soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://instepsoftware/webservice"&gt;
  &lt;soapenv:Header/&gt;
  &lt;soapenv:Body&gt;
     &lt;web:GetClassAttributeCVReportbyAttValueFilter&gt;
        &lt;web:psInstance&gt;(SQL INJECTION)&lt;/web:psInstance&gt;
        &lt;web:psClass&gt;1b&lt;/web:psClass&gt;
        &lt;web:psAttribute&gt;1c&lt;/web:psAttribute&gt;
        &lt;web:FilterMin&gt;aa&lt;/web:FilterMin&gt;
        &lt;web:FilterMax&gt;aab&lt;/web:FilterMax&gt;
        &lt;web:AttFilterName&gt;aabcd&lt;/web:AttFilterName&gt;
        &lt;web:AttFilterValue&gt;aabc&lt;/web:AttFilterValue&gt;
     &lt;/web:GetClassAttributeCVReportbyAttValueFilter&gt;
  &lt;/soapenv:Body&gt;
&lt;/soapenv:Envelope&gt;

CVE-2020-13521 - Parameter psAttribute

Parameter psAttribute in ednareporting.asmx is vulnerable to unauthenticated SQL injection attacks:

POST /webservice/ednareporting.asmx HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: “http://instepsoftware/webservice/GetClassAttributeCVReportbyAttValueFilter” User-Agent: agent Host: [IP] Content-Length: 911

1a 1b (SQL INJECTION) aa aab aabcd aabc

Timeline

2020-07-10 - Vendor disclosure
2020-08-10 - Vendor provided patch for Talos to test
2020-08-21 - Talos confirmed fix/patch
2020-09-23 - Public disclosure release

Credit

Discovered by Yuri Kramarz of Cisco Talos.


Vulnerability Reports Next Report

TALOS-2020-1107

Previous Report

TALOS-2020-1109