I received three anonymous comments today about last night’s post about ICS-CERT alerts. Well, they were probably the same comments three times trying to ensure that I got the information. The comments were a list of ICS-CERT alerts for the Luigi vulnerability disclosures that I mentioned in that blog post. I have gone back and confirmed that not only were the alerts posted, but I commented on them in my blog.
Oh, well, I get stupid every once in a while. Somehow I missed them in my file search yesterday. My apologies to ICS-CERT and my readers. And thanks to my readers for pointing out the error.
There was one Luigi disclosure that wasn’t given an alert, but even Luigi noted on his web site that the system was only marginally related to control systems so ICS-CERT apparently decided that it did not fall within their purview.
Okay, so my Luigi examples are full of c**p. That makes the Reid Wightman disclosures even more of an anomaly. Why was there the almost three month delay between Wightman’s disclosure of the ORing vulnerability and the ICS-CERT Advisory? And why did ICS-CERT ignore the second disclosure in the same blog posting?
There is a fourth comment on the same blog post by another Anonymous reader that kind of obliquely mentions the US-CERT secure portal where properly vetted owners can sometimes access advisories when the vendor publishes the mitigation or patch before the vulnerability is made public. But that is a separate matter as it appropriately give system owners the ability to patch their systems before the 0-day is disclosed to the public.