This afternoon the DHS ICS-CERT updated the advisory they published yesterday for an improper input vulnerability in the Emerson HART DTMs. Recent readers will be familiar with the revision published today; ICS-CERT reversed their claim that; “Exploits that target this vulnerability are known to be publicly available.” They now report that: “No known public exploits specifically target this vulnerability.”
There was nothing in the Emerson Security Report that mentioned the existence of exploits. I noted a BlackHat 2014 presentation about DTMs made by Alexander Bolshev, the researcher who reported the vulnerability, but it does not actually show an exploit. Bolshev’s S4x14 talk shows a number of HART exploits, but not one I can point to as being this one.
I guess the key here is that Emerson probably complained that there is no public exploit of the specific vulnerability reported in this advisory. Not being able to point to a specific exploit, ICS-CERT was forced to print their ‘correction’.