Friday, ICS-CERT published two advisories, one was an update of an alert from January (Indusoft Advantech Studio) and the other was an update of an advisory published earlier this week (360 Systems Image Server).
This advisory outlines the response of Indusoft (ICS-CERT variously uses Indusoft and InduSoft as the name of the company; the company web site uses InduSoft, I’ll try to stay with that convention) to the uncoordinated disclosure made in January by Nin3. The vulnerability is a directory traversal in both Advantech Studio and InduSoft Studio products. Nin3 published exploit code with the disclosure.
The advisory notes that a relatively low skilled attacker could remotely exploit this vulnerability and gain access to arbitrary files. InduSoft has produced a hotfix for this vulnerability that is available from their customer support (email@example.com).
The advisory notes that “InduSoft products are often integrated as third-party components in other vendors’ products”. I would suspect that InduSoft has notified the vendors that use InduSoft studio as a component in their control system products of the vulnerability and the availability of a hotfix. There is nothing however that says that those vendors have to notify their customers of the vulnerability. And there is nothing that guarantees that the InduSoft hotfix would work properly in those products.
I would like to think that ICS-CERT received a list of those vendors from InduSoft and has contacted them. This would put them under the 45-day ICS-CERT disclosure policy where ICS-CERT would publish an advisory on their product whether or not the vulnerability had been fixed. I don’t think this will happen, that would be just a tad bit too proactive for a government agency.