Our friend Luigi is back in an ICS-Advisory with an uncoordinated disclosure of multiple vulnerabilities in QNX products and Jon Christmas of Solera Networks has a coordinated disclosure for a vulnerability in a Triangle Research PLC. In an interesting twist, Luigi confirms the efficacy of the QNX patch while TRI self-validates their patch.
This advisory reports multiple vulnerabilities reported by Luigi. Luigi’s report was posted on his web site in May 2012, but it wasn’t picked up by ICS-CERT for an alert at that time. It may have been that ICS-CERT wasn’t really looking at vulnerabilities in embedded systems at that time. Or maybe they just weren’t watching Luigi because of his new business. In either case (or some other that I missed) QNX took action to address the following vulnerabilities;
• Stack-based buffer overflow, CVE-2013-2687; and
• Buffer copy overflow, CVE-2013-2688
NOTE: The CVE links are not yet live, it will be a day or two.
ICS-CERT notes that a relatively unskilled attacker using Luigi’s code could remotely exploit these vulnerabilities to execute a DoS attack or execute arbitrary code.
Jon reported an improper input validation vulnerability in the Nano-10 PLC. ICS-CERT reports that this vulnerability could be remotely exploited by relatively low skilled attacker if the firewall has Port TCP/502 open. It could be used to execute a DoS attack.