This afternoon the DHS ICS-CERT published an advisory for a self-reported privilege escalation vulnerability in the Siemens COMOS database application. I assume that it is self-reported from the wording of the ICS-CERT advisory. The Siemens Product-CERT advisory says that “Siemens was notified of a vulnerability”, but no information was provided about a researcher responsible for the notification, so it appears that it was an internal notification.
ICS-CERT reports that a relatively low-skilled attacker with authenticated system access could use this vulnerability to escalate their access to system engineering files. This is not strictly speaking a control system vulnerability, but information available from the system could be used to make an attack on a control system more effective.
Siemens has developed a patch for this vulnerability. Since this is a self-reported vulnerability there is no expectation that there will be an independent verification of the efficacy of the patch.
NOTE: Siemens reports the publication date of their advisory as August 9th, 2013. There seems to be an increasing delay in ICS-CERT publishing advisories about self-reported disclosures and coordinated disclosures that are not coordinated through ICS-CERT. I am not sure if this is a funding issue or just a failure of ICS-CERT to routinely check vendor disclosure sites. I suppose that whether or not that is a problem depends on how many organizations are actually depending on ICS-CERT for vulnerability notification.