This afternoon the DHS ICS-CERT published an alert for multiple SCADA-HMI vulnerabilities reported by Luigi in the xArrow SCADA-HMI application. The four reported vulnerabilities are:
• Decompression NULL Pointer;
• Heap Corruption;
• Invalid Read Access; and
• Memory Corruption
The alert notes that the vulnerabilities are all remotely exploitable and proof-of-concept code is available on the Luigi web site (NOTE: ICS-CERT does not provide a link to that site).
Interestingly there is another SCADA vulnerability listed on the Luigi web site that was published on the same day (March 2nd, 2012) as the xArrow vulnerability. That vulnerability is reported in the Beckhoff TwinCAT system; it is an integer overflow vulnerability in the TCatScopeView application. I wonder why there isn’t an ICS-CERT alert for that vulnerability, unless, of course, there is already another, coordinated disclosure, in the works for that vulnerability.