There was an interesting Twitversation yesterday about the Yokogawa advisory that ICS-CERT published Thursday. I noted that Yokogawa was to be commended for self-reporting the vulnerabilities. Dale Peterson from DigitalBond noted that the security note published by Yokogawa credited Rapid7 and another researcher with reporting the vulnerability.
Readers of my blog post will recall that I quoted from the Yokogawa report, so I was surprised that I missed their researcher acknowledgement. I opened up the document referenced in Dale’s Tweet® and it surely does credit Juan Vazquez of Rapid 7 and Julian Vilas Diaz with reporting the vulnerability. The only problem is that that report is from March of 2014 and is not the document referenced in the latest ICS-CERT advisory. The report that Dale referenced is related to an ICS-CERT advisory from May of last year.
The new advisory (from either ICS-CERT or Yokogawa) does not provide enough details about the individual vulnerabilities to determine if they are the same vulnerabilities reported last year. A closer look at the two lists of covered products, however, does show that, for some of the listed products at least, newer versions of the products are affected by the newer advisory.
In any case, it is clear that Yokogawa has done a great deal of work internally to identify the wide variety of products affected by these three buffer overflows. That kind of product line investigation takes time and resources and Yokogawa is to be commended for investing that kind of effort in the internal security research effort.