Multiple DeltaV products contain a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the programs not properly sanitizing unspecified user-supplied input before using it in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Currently, there are no known workarounds or upgrades to correct this issue. However, the vendor has released a patch to address this vulnerability.

• CVE ID: 2012-1815 (see also: NVD)
• Secunia Advisory ID: 49210
• Bugtraq ID: 53591
• Related OSVDB ID: 81996 82012 82013 82014
• Other Advisory URL: http://www.us-cert.gov/control_systems/pdf/ICSA-12-137-01.pdf [ Link is 404 ]
  http://www.us-cert.gov/control_systems/pdf/ICSA-12-138-01.pdf

• Kuang-Chun Hung - Information and Communication Security Technology Center