Yesterday, the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) another advisory on a SCADA related systems with a buffer overflow vulnerability. This time it concerns three InduSoft applications to develop HMI, SCADA systems and embedded instrumentation solution and one or more of the applications may be bundled as third-party applications in SCADA systems.
Heap-based and stack-based vulnerabilities were identified that would provide a moderately skilled an opportunity to perform arbitrary code execution which could impact the SCADA production environment. A patch is available to fix this vulnerability.
These applications are not typically bought by control system users, but they may be bundled within a control system bought from some other vendor. Once again this points out the importance of a SCADA user knowing what components of other vendors are bundled within their system. In a perfect world the system vendor would automatically include a list of such bundled software in their system documentation provided to the buyer. In the real world the cyber security manager will likely have to request this information from the system vendor.