Tuesday, September 8, 2015

ICS-CERT Publishes Advantech Advisory

This afternoon the DHS ICS-CERT published an advisory for multiple stack-based buffer overflow vulnerabilities in the Advantech WebAccess application. The vulnerabilities were originally reported by Praveen Darshanam. According to ICS-CERT Advantech is planning on releasing a new version that mitigates the vulnerabilities.

ICS-CERT reports that a relatively unskilled attacker could use publicly available proof of concept code to remotely exploit these vulnerabilities to crash the application or execute arbitrary code.

Darshanam published the vulnerabilities with exploit code for each of the four vulnerable ActiveX components on the SCADASEC list yesterday. He explained the reason for publicly releasing the vulnerabilities this way:

“Vulnerabilities were reported to Advantech sometime in January/February 2015, coordinated through CSOC (Australian Cyber Operations Centre) Security. From April 2015 they has been postponing the fix.”

Once again a company that does not work with a security researcher to fix vulnerabilities in its product finds that the researcher can publicly embarrass them. How long is it going to be before the users of control systems can count on their vendors (all of their vendors) to promptly respond to vulnerabilities identified in their products?

1 comment:

Andrew said...

Probably well-intentioned. But ignorant and dangerous. I thought we'd be past this sort of behavior from researchers by now.

Sure, let people know "there's a problem". But give it more than six months (that's shorter than the possible patch cycle in many plants). And don't give hand out the skeleton key that unlocks the door. Let's make it just a little more difficult than that.

/* Use this with templates/template-twocol.html */