Tuesday, June 3, 2014

ICS-CERT Publishes New DNP3 Advisory

Today the DHS ICS-CERT published an advisory for a pair of vulnerabilities in the COPA-Data zenon SCADA software. This is the standard IP and Serial DNP3 communications vulnerabilities that I have been referring to as the Crain-Sistrunk vulnerabilities. Even though the advisory gives Crain and Sistrunk credit for the discovery of the vulnerability in this product, a TWEET® from Adam Crain informs us that COPA-Data bought his Aegis fuzzer, used it on their product and self-reported the vulnerability. You can’t ask for a better bit of advertising than that.

NOTE: According to a later TWEET, this was the free download version of the fuzzer that was used to discover these vulnerabilities. (Added 04:15, 6-4-14)

COPA-Data has developed a newer version of the affected product that mitigates the vulnerabilities.

No comments:

/* Use this with templates/template-twocol.html */