Today the DHS ICS-CERT published an alert for a public report of a vulnerability in the Cobham Sailor 900 VSAT. The vulnerability was publicly disclosed without coordination with either the vendor or ICS-CERT. ICS-CERT is trying to coordinate with vendor to determine if the vulnerability actually exists and, if it does, what the vendor will be doing about mitigating the vulnerability.
ICS-CERT reports that the vulnerability is a buffer overflow vulnerability that would allow an attacker to remotely exploit the vulnerability to execute arbitrary code. ICS-CERT notes that the vulnerability does not appear to affect navigation.
It has been a while since we have seen an alert from ICS-CERT, more researchers who publicly report vulnerabilities are now coordinating their disclosures through one agency or another. ICS-CERT does not typically identify the researcher or the location of the publication of the uncoordinated disclosure.
This vulnerability is not in a system that most people associate with ‘industrial control systems’ but it does show how wide spread cyber vulnerabilities have become. It will be interesting to see what downstream control systems could be affected by an exploit of this vulnerability. There are lots of control systems on modern ships.
Is ICS-CERT the most logical agency to handle this disclosure? Maybe not, but they would have more experience coordinating disclosures than either the Coast Guard (maritime) or the FCC (sat com).