Yesterday ICS-CERT published two nearly identical advisories for products made by 7-Technologies; TERMIS and AQUIS. They also published an update for the Advantech Alert published on Thursday.
Both advisories identify a DLL Hijacking vulnerability in the systems that would allow a moderately skilled attacker to remotely exploit these vulnerabilities with the potential for execution of arbitrary code. 7T has developed separate patches for both systems.
Interestingly the TERMIS patch was released almost a month before the AQUIS patch, but ICS-CERT is publishing both advisories at the same time (and published both on their secure server on the same date last month). I would assume that 7T did not notify ICS-CERT about the earlier patch until the second patch was also available. This was probably done because a relatively intelligent hacker would have been able to quickly realize that the TERMIS vulnerability was also present in AQUIS.
The differences between the two advisories are trivial; the name and description of the affected software and the link to the patch are just about the limit of difference. ICS-CERT even provides the same (not yet active) CVE link for both advisories.
The update to the Advantech Alert adds two additional researchers, Rios and McCorkle, to the list of security researchers responsible for identifying the 18 vulnerabilities in the BroadWin WebAccess application.
Their permission to link notice is relatively short so I’ll reproduce it in its entirety here:
“You may link to the US-CERT website by using "US-CERT" as a text hyperlink, provided the following text is included on the website: "This link is provided for informational purposes only and does not represent an endorsement by or affiliation with the Department of Homeland Security (DHS)." You are not permitted to use the US-CERT or DHS wordmark, logo, seal, or icon.”
I’m sorry, that doesn’t work for me (nor I’m assuming, very many other people). So, I am hereby providing public notice that I refuse to comply with the ‘permission to link’ requirements of US-CERT. I am relatively sure that the way I provide links to documents in this blog does not lead anyone to believe that I have or am claiming any affiliation with US-CERT or ICS-CERT. Using “US-CERT” as the text base for those alerts is just plain silly, it would interfere with readers clear understanding of what I was writing, and requiring me to use it is an infringement on my freedom of speech and/or expression.
Now as to the copyright permission limitations, I have always been taught that the Federal government cannot copyright any information that it produces. Now I have no intention of commercially reproducing the alerts or such that I find on the ICS-CERT web site nor would I typically consider posting a full copy of such documents on this blog or my web site (http://chemicalfacilitysecuritynews.com; not much there but I do use it to publish documents from time to time). I do provide quotes from US-CERT and ICS-CERT documents from time to time, but those would be governed by the fair use doctrine in any case and I think my attribution of those quotes is adequately clear to my readers.