CSWorks created an update to fix a SQL injection vulnerability in its CSWorks software framework, according to a report on ICS-CERT.
CSWorks Version 2.5.5050.0 and prior suffer from the remotely exploitable vulnerability discovered by Researcher John Leitch, working with HP’s Zero Day Initiative (ZDI).
Successful exploitation of this vulnerability may leave applications developed with CSWorks software vulnerable to SQL injection attacks. The implications of this vary depending on the intended function of the developed application.
CSWorks’ headquarters is in Vancouver, Canada, and provides industrial automation support and process control software.
The affected product, CSWorks software framework, is a web-based software framework that can build process control applications. According to CSWorks, the CSWorks software framework sees use across several sectors including commercial facilities, communications, and critical manufacturing. CSWorks estimates the CSWorks software sees most deployments in Norway, Russia, and Spain.
The CSWorks software does not properly sanitize or validate the data used to construct read and write paths, which may make applications built with the affected product to be susceptible to an SQL injection attack. Depending on the intended use of the application, an attacker may be able to exploit this vulnerability to achieve remote code execution.
CVE-2014-2351 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.
No known attacks specifically target this vulnerability, however, an attacker with a low skill level would be able to exploit it.
CSWorks addressed this vulnerability in the updated version of CSWorks, Version 2.5.5233.0.
For additional mitigation and installation information, please review CSWorks’ security release.