Yesterday the DHS ICS-CERT published another web browser (no not IE9) advisory, this time with Fultek WinTR (a Turkish web based SCADA system). The directory traversal vulnerability was reported by Daiki Fukumori of Cyber Defense Institute. Fultek has not verified the vulnerability (ICS-CERT has) and has not offered any mitigations (since they don’t have a problem why should they fix it).
This is an increasingly common (read: it is being increasing reported) vulnerability (CVE-2012-3011) in SCADA/ICS web browsers. The web server does not adequately sanitize user inputs allowing relatively unskilled attackers to retrieve arbitrary files from the server. There is nothing in this advisory that describes the limits of what files could be retrieved.
As far as I can tell this is the first time the ICS-CERT has published an advisory for a vulnerability that the vendor has denied exits. There have been alerts and advisories where the researcher blew the whistle in the situation, but not one where ICS-CERT called out the vendor. I think that this is a good move on their part for a number of reasons. First it makes it easier for ICS-CERT to convince researchers to coordinate their disclosures. Second, and maybe most important in my opinion, is that it provides a little more pressure on recalcitrant vendors to respond more promptly to fix the vulnerabilities identified.
Kudos to ICS-CERT for publishing this Advisory.