This afternoon the DHS ICS-CERT issued an advisory for an unauthorized file access vulnerability in the Ecava Sdn Bhd IntegraXor application. The vulnerability was reported by an independent researcher “Alphazorx aka technically.screwed” (you gotta love these handles) as a coordinated disclosure through ZDI. Ecava has produced an update to resolve the issue but it has not been validated by the researcher (more on that later).
ICS-CERT reports that the vulnerability can be remotely exploited by a relatively low skilled attacker. Successful exploitation could result in the attack gaining access to project directory files for the SCADA system.
Normally we do not see any information why a patch or update efficacy has not been validated by the discovering researcher. In this case Ecava has provided a brief explanation with their report on this vulnerability. They were notified by ICS-CERT about the vulnerability on November 7th and had a published fix ready on November 11th. Apparently they waited until December 20th for an acknowledgement of the efficacy of their fix (after being advised to proceed without it by DHS on December 5th) then the publicly announced the vulnerability.
There is no word why ICS-CERT waited almost 20 days to publish this advisory. I would like to think that it was to allow the system owners who were (presumably) contacted on the 20th to get the fix installed. If that was the reason it would have been smart for ICS-CERT to make a comment to that effect in the advisory. It would have made them look more responsive. That probably wasn’t the reason though as ZDI published their advisory (ZDI-13-277) on December 15th so the vulnerability was in the public domain for almost a month before ICS-CERT published this advisory.
NOTE: I really should add ZDI and OVDB web sites to my daily crawl. In researching this post I noted that there are two ZDI reported vulnerabilities (ZDI-13-268 and ZDI-13-270) in the ABB MicroSCADA application that have not yet been reported by ICS-CERT; both reported in November by ZDI. Both have fixes in place.