CVE-2023-1934

Vulnerability

An unauthenticated error-based PostgreSQL injection vulnerability exists in the hitlogcsv.jsp endpoint of SDG PnPSCADA, affecting version 2.* across all platforms [1][2]. The software fails to properly neutralize special elements in SQL commands, allowing an attacker to inject arbitrary SQL statements through crafted requests to this endpoint [1]. No authentication or special privileges are required to trigger the vulnerability [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the hitlogcsv.jsp endpoint, which is reachable without authentication [2]. The attack can be performed over a network connection, with low complexity, and does not require user interaction [1]. The error-based nature of the injection means the attacker can infer database information through server responses, gradually extracting data [1][2].

Impact

Successful exploitation allows an attacker to interact with the underlying PostgreSQL database, enabling retrieval of critical data including Industrial Control System (ICS) and operational technology (OT) information, alongside SMS and SMS Logs [1]. The attacker could potentially manipulate or breach essential infrastructure data, leading to compromise of sensitive records [1]. The CVSS v3 vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates a high impact on confidentiality, integrity, and availability [1].

Mitigation

As of the publication date, SDG Technologies was aware of the issue and developing a fix, but no patched version had been released [1]. Recommended workarounds include using prepared statements to prevent SQL injections, avoiding public exposure of assets, and restricting public access to the PnPSCADA system [1]. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].