This afternoon DHS ICS-CERT published a control systemadvisory for two vulnerabilities reported in the Unitronics VisiLogic OPLC IDE. The vulnerabilities were reported (through ZDI) by Steven Seeley of Source Incite, Fritz Sands of ZDI, and Andrea Micalizzi. Unitronics has produced an update package but there is no indication that any of the researchers were provided the opportunity to verify the efficacy of the fix.
The two vulnerabilities were:
• Unsafe ActiveX control marked safe for scripting – CVE-2015-6478; and
• Code injection – CVE-2015-7905
ICS-CERT reports that a moderately skilled attacker could remotely exploit these vulnerabilities to execute arbitrary code.
There is nothing on the Unitronics web site or in the version documentation that describes the security vulnerabilities. There is the possibility that Unitronics directly contacted their customers during the period that this vulnerability was listed on the US CERT Secure Portal (posted November 3rd, 2015).
Actually, looking at the vulnerability ID number assigned by ICS-CERT (ICSA-15-274-02) it would seem that the advisory was probably placed on the Secure Portal on October 1st when the Omron advisory (ICSA-15-274-01) was published. Either that, or something happened at the last minute to cause ICS-CERT to hold the advisory for more than a month.
BTW: If you had been following the ICS-CERT notices on the Secure Portal, you would have already known about this vulnerability. If you are a critical infrastructure owner or cybersecurity officer see the bottom of the ICS-CERT landing page for instructions on how to apply for access.