Tuesday, March 3, 2015

ICS-CERT Publishes MICROSYS Advisory

This afternoon the DHS ICS-CERT published an advisory for a stack-based buffer overflow vulnerability in the MICROSYS PROMOTIC application. The vulnerability was discovered by an anonymous researcher and it was coordinated through the HP Zero Day Initiative. MICROSYS produced a new version that mitigates the vulnerability though there is no indication that the anonymous researcher was given the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability if the demonstration application is running. A successful exploit could lead to a denial of service situation or provide data leakage.

The MICROSYS description of the new version does not contain any discussion of the vulnerability or its fix.

No comments:

/* Use this with templates/template-twocol.html */