This afternoon the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an alert for a vulnerability that was disclosed during today’s presentations at the SCADA Security Scientific Symposium (S4) put on by Digital Bond (full disclosure; I have provided some blog posts for Digital Bond over the last year or so). The alert is based upon information presented by Reid Wightman about the GE D20ME PLCs.
The advisory mentions two vulnerabilities; data leakage and arbitrary code execution. It does not mention the password retrieval tool mentioned in Dale Peterson’s blog post this evening about the day’s presentations at S4 or in the press release from Rapid7.
It is almost certain that more vulnerability alerts will come out of these discussions and classes in Miami this week.