This afternoon the DHS ICS-CERT published an improper input validation (DNP3) advisory for the Elecsys Director Gateway application. The vulnerability was reported by Crain-Sistrunk-Todorski (newest member of the team) in a coordinated disclosure. Elecysy has developed a patch to mitigate the vulnerability and the patch has been validated by Adam Crain.
ICS-CERT reports that a moderately skilled attacker could remotely exploit the vulnerability to “to affect the availability of the DNP3 master slave communication in Elecsys Director Gateway
In addition to the patch, ICS-CERT notes that: “Because this vulnerability is identified with fuzzing tools, the researchers suggest developers use extensive negative testing during quality control of products.” Hmm. Adam has been saying this on his web site for about six months now; I wonder why ICS-CERT has now picked up the refrain.
BTW: Adam has not changed the count of advisories on the Robus web page. A tweet today mentioned this as a “mini advisory” so maybe this isn’t included in the count of 25 advisories that have been coordinated to-date. Or maybe Adam just got tired of counting coup; no challenge anymore.