It has been three weeks since ICS-CERT last published an advisory. Yesterday they published an advisory for an improper input validation vulnerability on the GE Cimplicity system. The vulnerability was discovered by two researchers, ZombiE and amisto0x07, that was released in a coordinated disclosure via a HP TippingPoint’s Zero Day Initiative.
ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to execute arbitrary code on the system. GE has released updates for the affected systems, but ICS-CERT does not report that anyone has independently verified the efficacy of the fix.
The GE Security Advisory for this vulnerability actually describes this as “multiple vulnerabilities” as the problem exists when GlobalView, WebView or ThinView are enabled. GE recommends that these views should be disabled if not being used and provides instructions for doing so. If GlobalView is needed it should be configured to run with the IIS web server.
BTW: GE published their advisory on June 18th. I would like to think that the delay in publishing the ICS-CERT version was so that it could be released on the restricted US-CERT server to allow owners with access to that service a chance to correct the problem before public disclosure was made. But, ICS-CERT usually mentions that in their advisories when that occurs.