CVE-2020-13501
📋 TL;DR
This is an unauthenticated SQL injection vulnerability in eDNA Enterprise Data Historian's CHaD.asmx web service. Attackers can send specially crafted SOAP requests to execute arbitrary SQL commands, potentially compromising the database. Organizations using affected versions of eDNA Enterprise Data Historian are at risk.
💻 Affected Systems
- eDNA Enterprise Data Historian
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data exfiltration, modification, or deletion; potential for full system takeover via SQL injection to RCE if database permissions allow.
Likely Case
Data theft from the historian database, including sensitive industrial process data, configuration information, and potentially credentials.
If Mitigated
Limited impact if proper network segmentation, web application firewalls, and input validation are in place.
🎯 Exploit Status
The vulnerability requires no authentication and has publicly available proof-of-concept code. Attackers can exploit this with standard SQL injection tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.6.0.0 or later
Vendor Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-254-01
Restart Required: Yes
Instructions:
1. Download and install eDNA Enterprise Data Historian version 7.6.0.0 or later from GE Digital. 2. Restart the eDNA services. 3. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to the eDNA web service to only trusted internal networks.
Configure firewall rules to block external access to port 80/443 on eDNA server
Web Application Firewall
allDeploy a WAF with SQL injection protection rules in front of the eDNA web service.
Configure WAF to block requests containing SQL injection patterns
🧯 If You Can't Patch
- Implement strict network segmentation to isolate eDNA systems from untrusted networks
- Deploy a web application firewall with SQL injection detection and prevention rules
🔍 How to Verify
Check if Vulnerable:
Check if the CHaD.asmx endpoint responds to SOAP requests with SQL injection payloads in the InstanceName parameter. Use tools like sqlmap with caution in production environments.Check Version:
Check the eDNA installation directory or use the eDNA management console to view version information.Verify Fix Applied:
Verify the eDNA version is 7.6.0.0 or later and test that SQL injection payloads no longer execute successfully.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts or SQL errors in web server logs
- SOAP requests with suspicious parameters containing SQL keywords
Network Indicators:
- Unusual outbound database connections from the eDNA server
- SQL injection patterns in HTTP traffic to CHaD.asmx
SIEM Query:
source="web_server" AND (url="*CHaD.asmx*" AND (param="*InstanceName*" AND value="*SELECT* OR *UNION* OR *--*"))