Just a little over a month ago ICS-CERT took the unusual step of posting a master advisory covering 9 separate advisories for essentially the same input validation vulnerability in different systems. Anyone with rudimentary prognostication skills could have predicted that when ICS-CERT published two more advisories in the series, they would be morally required to update the list of included advisories. They did that today; published the –A version and added Catapult Software and GE to the list.
There are going to be at least 14 more advisories according to the Project Robus web site and Adam Crain admits they stopped counting, so it may be 15 or more yet to come. That ‘or more’ comes from the fact that multiple vendors have used the library identified in the Triangle Microworks advisory and they may/should self-report the vulnerability after they apply the fix developed by Triangle Microworks.
Oh yes, and Crain-Sistrunk are supposed to be presenting at Digital Bond’s S4x14 and will be discussing the fuzzing technique they’ve used to identify these vulnerabilities, so who knows how many other people will start looking for, finding and reporting these vulnerabilities.
We just might get to a –AA or –BB version of this advisory yet.