Saturday, April 30, 2011

ICS-CERT Publishes 7-T IGSS Advisory

On Friday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published a new advisory for the 7-Technologies (7-T) Interactive Graphical SCADA System (IGSS) describing a remote stack overflow vulnerability in that system that was initially reported by a security researcher.

The advisory notes that an attacker with an intermediate skill level could develop an exploit for this vulnerability that would enable a denial of service attack and possibly remote execution of ‘arbitrary code’. An updated version of the software is available from 7-T that eliminates this vulnerability.

Coordinated Release

ICS-CERT included an unusual sentence in their advisory, describing how the public disclosure of this vulnerability was handled. ICS-CERT noted (page 1):

“ICS-CERT has confirmed that Insomnia Security and 7T coordinated this vulnerability prior to public release of this report.”
As I have noted in a number of earlier blogs there is an on-going debate in the cyber security research community on effectiveness of coordinating vulnerability information releases with the vendor so that the vulnerability and effective mitigation measures can be announced at the same time. ICS-CERT, who offers their services to help in the coordination effort, prefers coordinated releases (all other things being equal).

It was obvious without this notice in the advisory that a coordinated release had happened. The information on the 7-T update of the IGSS program was the give away. The addition of this sentence appears to be directed at the security research community as a reminder that ICS-CERT is available to conduct the coordination, and may actually prefer to be the coordination agency.

No comments:

/* Use this with templates/template-twocol.html */