Wednesday, November 16, 2011

ICS-CERT Publishes InduSoft Advisory

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an advisory for the InduSoft Web Studio software. Interestingly, they give Luigi credit for discovering this vulnerability; Luigi coordinated his disclosure with the Zero Day Initiative so this time he did not run afoul of the ICS-CERT disclosure policy.

The vulnerabilities exploit unauthenticated remote code execution capability within the remote agent component of the system. The vulnerabilities would allow a moderately skilled attacker to remotely execute arbitrary code.  There are no publicly available exploits for these vulnerabilities.

NOTE: CVE numbers have been assigned for these two vulnerabilities but the links provided in the Advisory do not actually link to the CVE files. It is not clear whether this continuing problem is a NIST or and ICS-CERT problem.

No comments:

/* Use this with templates/template-twocol.html */