Tuesday, November 29, 2011

ICS-CERT Publishes Two Luigi Vulns – Old and New

Today the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published two reports on two Luigi reported vulnerabilities. The first is an alert for a new vulnerability MICROSYS, spol. sr.o. PROMOTIC, a Czech SCADA HMI. The second is an update on an older advisory on the GE Proficy system.


The PROMOTIC alert is a bit unusual in that it does not involve a remotely exploitable vulnerability. It is a use-after-free vulnerability that requires the loading of a ‘specially crafted’ project file. That file causes the program to terminate allowing an opportunity to execute code after the allocated resources are freed up.

Luigi provides detailed information on his web page about this vulnerability.

BTW: Luigi was kind enough to post a comment to yesterday’s ICS-CERT related post providing a link to the Optima vulnerability information on his web page.

GE Proficy Update

ICS-CERT updated their GE Proficy Historian advisory simply to provide notice that Luigi was the researcher who initially discovered this vulnerability. Since this was technically a coordinated disclosure that Luigi worked through the Zero Day Intiative (ZDI), it is appropriate that he be given appropriate credit.

Looking at the ZDI web site for this vulnerability, it looks like they gave Luigi credit all along, so it seems odd that the folks at ICS-CERT overlooked giving him credit for this long. Oh well, better late than never…

No comments:

/* Use this with templates/template-twocol.html */