Description Preview
Overview
The Hexagon G!nius Auskunftsportal (information portal) is a GIS-based utility management system used by organizations to manage infrastructure data. The vulnerability exists in the file download functionality where user-supplied input in the 'id' parameter is not properly sanitized before being used in SQL queries. This allows attackers to inject and execute arbitrary SQL commands within the application's database. The impact of this vulnerability can be severe as it may allow unauthorized access to sensitive information stored in the database, including user credentials, personal information, and infrastructure data. Additionally, depending on database permissions, attackers might be able to modify or delete data, or potentially gain further access to the underlying system.
Remediation
Organizations using Hexagon G!nius Auskunftsportal should implement the following remediation steps:
- Update to version 5.0.0.0 or later as soon as possible, as this version addresses the SQL injection vulnerability.
- If immediate updating is not possible, consider implementing additional security controls such as:
- Deploying a web application firewall (WAF) configured to block SQL injection attempts
- Restricting access to the vulnerable endpoint through network segmentation
- Implementing input validation at the network perimeter
- Monitor database logs for suspicious queries that might indicate exploitation attempts
- Conduct a security assessment to identify any signs of previous exploitation
- Follow the principle of least privilege for database accounts used by the application
References
-
Packet Storm Security - Hexagon G-nius Auskunftsportal SQL Injection: http://packetstormsecurity.com/files/162534/Hexagon-G-nius-Auskunftsportal-SQL-Injection.html
-
GitHub - Exploit details and proof of concept: https://gist.githubusercontent.com/mke1985/a21a71098f48829916dfec74eff1e24a/raw/f635b060ad03e23fd887de48a79b70040daadadb/CVE-2021-32051
-
Hexagon Product Information: https://www.hexagonsafetyinfrastructure.com/products/utilities-and-communications-products/advanced-utility-gis/hexagon-ginius
-
Common Weakness Enumeration - CWE-89 (SQL Injection): https://cwe.mitre.org/data/definitions/89.html
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- Accommodation & Food ServicesAccommodation & Food Services
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting
- Arts, Entertainment & RecreationArts, Entertainment & Recreation
- ConstructionConstruction
- Educational ServicesEducational Services
- Finance and InsuranceFinance and Insurance
- Health Care & Social AssistanceHealth Care & Social Assistance
- InformationInformation
- Management of Companies & EnterprisesManagement of Companies & Enterprises
- ManufacturingManufacturing
- MiningMining
- Other Services (except Public Administration)Other Services (except Public Administration)
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services
- Public AdministrationPublic Administration
- Real Estate Rental & LeasingReal Estate Rental & Leasing
- Retail TradeRetail Trade
- Transportation & WarehousingTransportation & Warehousing
- UtilitiesUtilities
- Wholesale TradeWholesale Trade
