I got an interesting email from Essobi (pronounced SOB) otherwise known as Kyle Stone about his claim to have discovered the Sixnet vulnerability and the failure of his attempt to execute a coordinated disclosure with the vendor and ICS-CERT last year; before Mehdi Sabraoui’s disclosure reported by ICS-CERT. I have no way of verifying this claim, but would refer readers to a video of Kyle’s presentation at DerbyCon last week. Beware, Kyle doesn’t like the way his situation was handled and has complaints about how vendors and ICS-CERT handle attempted coordinated disclosures; an interesting discussion. By the way the discussion also includes a wide variety of exploits that Kyle executed on the Sixnet device; Sixnet will not like the discussion.
Kyle does make a couple of interesting points in his email and video. First his reported disclosure also included undocumented TCP/UDP and serial ports on specific Suxnet RTUs and the fact that these vulnerabilities exist in remarketed RTUs, including the Honeywell RC500.
BTW: Kyle also points out that the ICS-CERT link to the original release of the Sixnet advisory is dead. Well that’s not exactly true, it’s live but it links to an empty page on the ICS-CERT site.