Two days ago ICS-CERT published a minor update to their alert from August, 2015 for a hard-coded password vulnerability in KACO HMI products. The revised version added a single sentence to the summary portion of the Alert:
“According to this report, the password is easily found in the client code.”
I have no idea why ICS-CERT thought that this was important enough to add to the alert seven months after it was originally published. I suppose that it could be because KAKO has not been responsive enough in addressing this vulnerability.
Readers of this blog might be more than a little surprised that it has taken me two days to report on this update. The reason for that is simple, I just received an email this morning from ICS-CERT advising me of the recent update; this notification is a service that anyone can sign up for and I have previously mentioned it. A couple of months ago ICS-CERT changed their policy of listing updates to their alerts and advisories on their landing page. They had been making Twitter® notifications of these revisions, but did not do so in this case.
There are a couple of other oddities about how they handled this update. Normally ICS-CERT annotates changed versions of alerts and advisories by sequentially adding a letter to the end of the advisory number; for example, a first update would be labeled ICS-ALERT-16-074-XXA. They did not do that in this case. Another thing that they normally do is to highlight the changed areas in the body of the alert or advisory. Again, they did not do so in this case.
Now, none of these irregularities has a real impact on the information presented and in this case the change to the document is so minor that perhaps they thought that all of these additional details were not needed.
Just for the record here is the personal web site of the researcher, Aditya K Sood, who reported this vulnerability and a link to video of his presentation where he publicly disclosed this (and at least 3 other) HMI zero-days.
In any case there are muckrakers and nitpickers like me to keep the public informed, so now you know about this minor change and the oddities that go with it. I’ll leave it to the reader to figure out what this all means.