Yesterday DHS ICS-CERT published an advisory concerning multiple vulnerabilities in the EOScada application from C3-ilex based upon a coordinated disclosure from Dale Peterson of Digital Bond [Links added 11-03-12 06:30 EDT] (yep, it appears that even Dale will succumb to the temptation to coordinate a disclosure). Dale identified vulnerabilities on multiple ports related to improper access control, resource management errors (on two different ports) and data leakage.
The advisory reports that a low skilled attacker could remotely exploit these vulnerabilities. C3-ilex has produced a patch that is available to owners that have an up-to-date service agreement with the company. Other owners will have to pay for the patch. Yes, the advisory says that owners without a service agreement will have to pay to get these vulnerabilities that were due to design ineptitude corrected. I think that I would rather pay to replace the offending system and never do business with the vendor again.
I’ll bet that if Dale had known that this vendor would charge for patches he never would have been involved in a coordinated disclosure.