This afternoon the DHS ICS-CERT published an advisory for multiple stack-based buffer overflow vulnerabilities in the Advantech WebAccess application. The vulnerabilities were originally reported by Praveen Darshanam. According to ICS-CERT Advantech is planning on releasing a new version that mitigates the vulnerabilities.
ICS-CERT reports that a relatively unskilled attacker could use publicly available proof of concept code to remotely exploit these vulnerabilities to crash the application or execute arbitrary code.
Darshanam published the vulnerabilities with exploit code for each of the four vulnerable ActiveX components on the SCADASEC list yesterday. He explained the reason for publicly releasing the vulnerabilities this way:
“Vulnerabilities were reported to Advantech sometime in January/February 2015, coordinated through CSOC (Australian Cyber Operations Centre) Security. From April 2015 they has been postponing the fix.”
Once again a company that does not work with a security researcher to fix vulnerabilities in its product finds that the researcher can publicly embarrass them. How long is it going to be before the users of control systems can count on their vendors (all of their vendors) to promptly respond to vulnerabilities identified in their products?