ICS-CERT Upgrades Another Advisory

Today the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) upgraded another alert to an advisory as the vendor provided appropriate mitigations for the reported vulnerability. This time the vendor was ScadaTec. The original alert described a buffer overflow vulnerability in the ScadaPhone and Modbus TagServer products and was published back in September.

Today’s advisory identifies the researcher as Steve Seeley and notes that ScadaTec has produced a patch to ‘resolve the vulnerability’. It turns out that the actual vulnerability was in the Abbrevia ZIP file handler. Newer versions of that software do not contain the same vulnerability. As always I have to ask what other vendors are still using the vulnerable versions in their software packages.

An interesting side note; the Advisory notes that the affected ScadaTec products are used principally in water treatment facilities in the United States and Australia.