Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published a new alert concerning an ActiveX vulnerability with publicly available exploit code on Advantech’s Broadwin WebAccess. Needless to say this was an uncoordinated disclosure with an undisclosed (in this Alert) researcher discovering the vulnerability.
Actually this vulnerability was reported at exploit-db.com by Snake on All-Hallows Eve. It is a buffer overflow vulnerability and allows an attacker to remotely execute arbitrary code.
More to follow.
Thanks to Dave Barnett on LinkedIn’s Cyber Security in Real-Time Systems group for pointing out Snake’s report.
BTW: About Tuesday’s GE vulnerabilities, Joel Langill at SCADAhacker is reporting that he believes that the three vulnerabilities were discovered by our old friend Luigi. I can’t find any confirmation from Luigi’s web site or Bugtraq where he frequently posts his exploits, but Joel is much more in touch with these things than I am.
More News from Joel: Joel’s tweets last night pointed out that there are two coordinated ICS vulnerabilities pending public disclosure; one on an ABB system, and one on an Indusoft system. Interestingly one of the coordinated disclosures was reported by Luigi; maybe he’s coming in from the cold.
No comments:
Post a Comment