Tuesday, August 23, 2011

Ignition Vulnerability Advisory Published by ICS-CERT

I don’t know how I missed writing about this before now, I mean the headline is incredibly catchy, but last Friday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an advisory about an information disclosure vulnerability in Inductive Automation’s Ignition software. The vulnerability was discovered by Ruben Santamarta and it allows unauthorized users to remotely download system and project information (including authorized usernames and password hashes) via a simple connection to a specific URL address.

Inductive Automation has developed an upgraded version of the Ignition software which is available for download.

I’m always amazed at the ability of security researchers to discover these vulnerabilities in complex control system software. It takes a peculiar twist of the mind to be able to read code as if it were one’s birth tongue rather than a foreign language learned late in life. My hat’s off to Ruben for the effort and ability that went into discovering this obscure but potentially devastating vulnerability. I’m glad that he’s working on the disclosure side of that skill set, not the exploitation side.

BTW: Yesterday ICS-CERT published an update of their Siemens PLC vulnerability summary advisory that I discussed earlier. They corrected an apparent typo on page 8; substituting the word ‘interoperability’ for ‘inoperability’. Interestingly this is one of the specific sentences in the advisory that Ralph Langner took objection to in his blog post criticizing this advisory and somehow he read it the way that ICS-CERT intended it to read (as corrected here) not how it was actually published.

No comments:

/* Use this with templates/template-twocol.html */