Dale must be proud (grin); this evening DHS ICS-CERT published their first alert for a vulnerability disclosure from Digital Bond’s S4 conference in Miami. Appropriately enough the vulnerability was disclosed by Luigi, the first since Luigi and his partner Donato formed ReVuln.com.
According to the alert Luigi disclosed a buffer overflow vulnerability in the Ecava IntegraXor SCADA/HMI interface. As with past Luigi disclosures this was accompanied by proof-of-concept code.
I think that this is the same disclosure that Dale Tweeted about this afternoon:
@digitalbond - Luigi & Donato demoing ICS vuln and there fix to it, without any vendor involvement, #S4x14
A buffer overflow vulnerability is hardly worth mentioning at a conference like S4x14. The big news was apparently that Luigi and company had discovered a way to fix the vulnerability without getting the vendor involved. This would certainly be good news for Luigi’s system owner clients; they could get their systems fixed before anyone else, including the vendor, was made aware of the vulnerability.
While some vendors are working hard at establishing a reputation for quickly responding to vulnerability disclosures, most still have a long way to go (for example we are still waiting for a piss pot load of Crain-Sistrunk vulnerability disclosures by the vendors for vulnerabilities identified last summer).