Friday, October 14, 2011

ICS-CERT Addresses Another Luigi Vulnerability

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published a new alert for reported vulnerabilities in the MICROSYS Promotic HMI; the same vulnerabilities that Luigi posted on his web site yesterday. Of course, ICS-CERT does not mention Luigi in their Alert.

NOTE: Luigi recently Tweeted® about this failure of ICS-CERT to acknowledge uncooperative disclosers. He wrote:

“[D]oes ICS-CERT know the difference between credits and reporting the original source of an information? security through obscurity or spite?”

Three vulnerabilities are identified and all are exploitable remotely. The vulnerabilities are:

• Directory Traversal – Data leakage;

• Stack Overflow – DOS, possible remote code execution; and

• Heap Overflow – DOS, possible remote code execution.

BTW: ICS-CERT has published a new public key to be used in encrypting sensitive communications (reports of a cyber-attack, for instance) being sent to ICS-CERT.

No comments:

/* Use this with templates/template-twocol.html */