This morning DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published alerts about reported vulnerabilities in six different industrial control systems:
The alerts don’t give much information beyond the fact that vulnerabilities have been reported and apparently exploit codes are available. Some of the systems have multiple vulnerabilities reported. ICS-CERT doesn’t give any information on the security researcher that published the vulnerability information.
I saw an entry on SCADASEC list yesterday that listed vulnerabilities in many of the same systems and that message noted that Luigi Auriemma had listed them on Bugtrac. That Bugtrac message included links to Luigi’s explanation of the vulnerabilities. Interestingly, Norton is providing “Malicious Web Site Blocked” notices for those notes. The Luigi note also lists vulnerabilities in Carel PlantVisor and BroadWin WebAccess.
In closing his Bugtrac note Luigi left the following comment: “If there will be enough interest in these sectors [control systems and financial trading software] I will release new vulnerabilities in the next weeks.” Luigi continues to make control system security interesting.
No comments:
Post a Comment