Yesterday the DHS ICS-CERT published a revision to an alert and an advisory to address the issues in an earlier alert. The systems involved are the WAGO IO 750 and the Wonderware SuiteLink.
WAGO Alert Update
This updated WAGO alert is updating an alert issued five months ago concerning multiple vulnerabilities in the IO System 750 identified by Digital Security Research Group (DSecRG). WAGO has issued a cybersecurity bulletin that recommends disabling two ports when ‘not actively in use’ and ensuring that the Web Server Authentication feature remains enabled.
It is unusual that successful (well the revised alert doesn’t say that anyone has confirmed that these measures actually work, but it sounds as if they should) mitigation measures are put into a revised alert instead of a final advisory. ICS-CERT doesn’t explain why they have taken this step, but I suspect that it is because implementing these measures leaves operators set up for future failure when they forget the reason for disabling the features and leave them enabled when the ports are required to be used for updating firmware for instance.
What is severely disappointing is that it took five months for WAGO to come up with these mitigation measures which required no real work on their part beyond publishing a notice on their web site. This would have been a smart move on their part if it had happened within a day or two of the publication of the original alert, pending a more structural change in the software. At this late date it indicates that the management team doesn’t care about security issues with their products. CAVEAT EMPTOR
This advisory for a stack-based buffer overflow vulnerability is a better example of how mitigation measures should be handled. The original alert based upon a Luigi uncoordinated disclosure was published just over a month ago. Invensys has produced a patch for their SuiteLink package and its efficacy has been verified by Luigi. The thirty-five day turnaround on an uncoordinated disclosure is very reasonable.