Home -> Resources -> SCADA/ICS Vulnerability Reference -> 7-Technologies IGSS / SafeNet Sentinel

7T IGSS / SafeNet Sentinel Input Santization Vulnerability

December 12, 2011

Security research Carlos Mario Penagos Hollman of Synapse-labs has identified an input santization vulnerability in the third-party SafeNet Sentinel HASP Software Rights Management (HASP-SRM) license manager application that is embedded in the 7 Technologies (7T) IGSS SCADA software.

SafeNet Sentinel HASP and 7T IGSS are prone to an HTML-injection vulnerability because they fail to properly sanitize user-supplied input.

Attacker-supplied HTML and script code could be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user; other attacks are also possible, including allowing an attacker to change the code in a configuration file.

SafeNet has produced an updated version that mitigates this vulnerability, which has also been tested by the research. 

Affected products include:
-  SafeNet Sentinel HASP SDK releases older than Version 5.11
-  Sentinel HASP Runtime installers older than Version 6.x
-  7 Technologies (7T) IGSS Version 7

ICS-CERT Advisories / Alerts

ICSA-11-314-01
ICSA-11-314-01P (released on Nov. 14, 2011 via US-CERT secure Portal)

Vendor Website (include Patches / Hotfixes)

7 Technologies IGSS Product Info
IGSS Free SCADA Software Download
SafeNet - Security Vulnerability in Sentinel HASP v5.95 and Earlier
Sentinel Runtime Patch Download
Sentinel SDK Patch Download

Exploit Proof-of-Concept

Attackers can use a browser (Mozilla Firefox 2.0) to exploit this issue. Current versions of Firefox, Internet Explorer, Opera and Chrome may not reproduce the vulnerabilty.

Common Vulnerability & Exposure (CVE) References

CVE-2011-3339
NVD CVE-2011-3339

Additional Information

Secunia Vulnerability Report and Statistics on SafeNet
Security Focus Vulnerability Info and Exploit Bugtraq ID 51028

SafeNet Sanitization Vulnerability (ISSSource)