Last week I did a blog posting about an ICS system security report from ICS-CERT about vulnerability that had been publicly disclosed back in June. I noted in that post that such a public disclosure would normally have been expected to be reported shortly after the disclosure as an alert. It wasn’t done in this case nor was a second system vulnerability that was included in the same public disclosure mentioned by DHS.
A while back, I’m not sure exactly when as I didn’t pay too much attention, ICS-CERT changed their vulnerability notification process page. The added the following notice:
“UPDATE! In cases where a vendor is unresponsive, or will not establish a reasonable timeframe for remediation, ICS-CERT may disclose vulnerabilities 45 days after the initial contact is made, regardless of the existence or availability of patches or workarounds from affected vendors.”
Reading over the remainder of the page I don’t see any mention of alerts vs advisories; truth be told though, I don’t know if there ever was such a mention on the page. A close reading of the page does seem to indicate that ICS-CERT intends to give all vulnerability disclosures, coordinated and otherwise, at least 45 days for the vendor to convince ICS-CERT that they are working hard on fixing the problem.
Now this seems to track with the time frame on the Reid Wightman disclosure that formed the basis for the ORing Industrial Networking advisory and would explain why the other vendor mentioned in Reid’s post on DigitalBond.com did not have an advisory published for their nearly identical vulnerability; the second vendor convinced ICS-CERT that they were working on a mitigation/patch strategy.
A single data point, however, doesn’t make for good analysis. Trying to figure out where I could get additional data points, I decided to go the Luigi’s web site since he is such a prolific vulnerability discloser. Sure enough, since June 1st Luigi has posted five disclosures on his web site that have yet to make it to the ICS-CERT site. They include:
• SpecView – Web server directory traversal - http://aluigi.org/adv/specview_1-adv.txt
• PowerNet Twin Client – Stack buffer overflow (DOS) - http://aluigi.org/adv/powernet_1-adv.txt
• Sielco Sistemi Winlog – Multiple vulnerabilities - http://aluigi.org/adv/winlog_2-adv.txt
• Pro-face Pro-Server – Multiple vulnerabilities - http://aluigi.org/adv/proservrex_1-adv.txt
Now we all know that the fine folks at ICS-CERT follow Luigi fairly closely. They have publicized all of his uncoordinated disclosures in the past; usually within a day of their being posted on his web site. It is too much to think that they have stopped following Luigi now, so it looks like the days of alerts are over.
In one way it seems like a good thing to treat researchers the same whether or not they coordinate their disclosures. It does, however, put user’s at a disadvantage. The earlier ICS-CERT policy ensured that there was one point that the average owner/operator could monitor for word when there was an uncoordinated disclosure of a vulnerability. This allowed them to take at least some precautions to protect their systems while the vendor was working on a patch to correct the problem.
Without the early warnings provided by ICS-CERT Alerts owners are put at a distinct disadvantage. Black hats certainly share the information found in these public posts, particularly the proof-of-concept exploits that typically accompany the publication of the vulnerabilities (they certainly do for Luigi’s vulnerabilities).
So the bad boys get to have a 45 day head start on owner operators; essentially a 45-day 0-day exploit. Oh, and it’s not just the one researcher or organization that has the 0-day, it’s everyone that has access to the researcher’s site. Maybe the folks at ICS-CERT need to re-examine their new policy.