Important: CSWorks security release 2.5.5233.0
Date: May 8, 2014
Subject: SQL injection vulnerability in CSWorks LiveData Service
Versions: 2.5.5050.0 and earlier
Summary: Remote attackers can achieve remote code execution on the server running CSWorks LiveData Service via SQL injection on.

Description
CSWorks LiveData Service 2.5.5050.0 and earlier allows remote attackers to perform SQL injection via CSWorks LiveData web API and achieve remote code execution using mySQL "INTO OUTFILE" feature.

Mitigation
When using SQL database as CSWorks data source, make sure CSWorks is using the database engine account that does not allow perform actions that go beyond the scope of CSWorks LiveData operations - selecting and updating records in specific SQL tables. Under no circumstances should administrators give root access to CSWorks. Also, administrators should not allow unauthorized users to access CSWorks web API. 

Patch availability

CSWorks 2.5.5233.0 has been issued as security release to correct the defect. CSWorks administrators running affected versions are advised to (in the order of importance):

  • verify CSWorks LiveData Service SQL database settings;
  • verify CSWorks web API access policy;
  • upgrade to 2.5.5233.0 (available at CSWorks web site http://www.controlsystemworks.com/DownloadDescription.aspx).

 

Credits
The vulnerability was reported by John Leitch working with HP Zero Day Initiative

References
http://www.zerodayinitiative.com/advisories/