Today the DHS ICS-CERT published an advisory for a password encryption vulnerability in the Rockwell Automation RSView32 application. The vulnerability was reported by Vladimir Dashchenko and Dmitry Dementjev of the Ural Security System Center. Rockwell has produced a software patch to mitigate the vulnerability, but there is no indication that the researchers have been given the opportunity to verify the efficacy of the fix. This advisory was originally released on the US CERT Secure Server on May 12th.
ICS-CERT reports that this vulnerability would be difficult to exploit as it would require access to the file in which the user names and passwords was stored, reverse engineering the encryption and then using a social engineering attack for the exploit.
Once again we have ICS-CERT taking a vulnerability with a reported low exploitability to the Secure Server while they publicly release vulnerabilities that can be exploited by attackers with relatively low skills. Something is amiss here.