CVE-2021-32989
📋 TL;DR
This reflected cross-site scripting (XSS) vulnerability in LAquis SCADA allows attackers to inject malicious scripts via error messages when requesting non-existent resources. Attackers can execute arbitrary JavaScript in victims' browsers, potentially stealing credentials or performing actions on their behalf. Organizations using LAquis SCADA version 4.3.1.1011 or earlier are affected.
💻 Affected Systems
- LAquis SCADA
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal SCADA operator credentials, gain unauthorized access to industrial control systems, manipulate HMI displays, or disrupt industrial operations through client-side attacks.
Likely Case
Attackers craft malicious URLs containing XSS payloads, trick operators into clicking them, then steal session cookies or credentials to gain unauthorized access to the SCADA system.
If Mitigated
With proper network segmentation, web application firewalls, and operator training about suspicious links, impact is limited to isolated browser sessions without system compromise.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly exploited and require minimal technical skill. Attackers need to trick users into clicking malicious links.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 4.3.1.1012 or later
Vendor Advisory: https://www.cisa.gov/uscert/ics/advisories/icsa-21-208-04
Restart Required: Yes
Instructions:
1. Download updated version from LAquis SCADA vendor. 2. Backup current configuration and data. 3. Install the update following vendor instructions. 4. Restart the SCADA system and verify functionality.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to filter malicious requests before they reach the SCADA application.
Input Validation Enhancement
allImplement additional input validation at network perimeter devices or reverse proxies to sanitize user input.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to restrict script execution sources
- Segment SCADA network from corporate network and restrict web interface access to authorized operators only
🔍 How to Verify
Check if Vulnerable:
Test by accessing the SCADA web interface and requesting a non-existent resource with a basic XSS payload like <script>alert('test')</script> in the URL parameters.Check Version:
Check Help > About in LAquis SCADA interface or examine installed program version in Windows Control PanelVerify Fix Applied:
After patching, repeat the vulnerability test. The application should properly sanitize input and not execute the script.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing script tags or JavaScript code in URL parameters
- Multiple 404 errors with suspicious parameter values
- Unusual user agent strings or referrer headers
Network Indicators:
- HTTP requests with encoded script payloads in query strings
- Traffic patterns showing users accessing unusual resource paths
SIEM Query:
source="web_server_logs" AND (status=404 AND (url="*<script*" OR url="*javascript:*" OR url="*onerror=*"))