Friday, December 23, 2011

ICS-CERT Finally Issues Siemens Advisory

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an advisory about the Siemens authentication bypass issues that have been widely discussed in the blogosphere since Tuesday when Billy Rios published his response to the Siemens denial of the existence of a problem.
There is more detailed information about the vulnerability in Billy’s blog, but this Advisory does provide two important bits of information. First Siemens publicly admits the existence of the vulnerability and lists the affected systems. Second that Siemens plans to release a Service Pack next month that will resolve the issue.

Reading through the comments on Billy’s blog it seems that the Siemens statement that started the public disclosure process might have been the result of a misunderstanding between the Reuters person and the Siemens person (and I may be overgenerous in that assumption; I wasn’t there), but Siemens has obfuscated so often on their past vulnerabilities that no one is willing to cut them any slack. Siemens PR has a long way to go and a short time to get there.

BTW: There continue to be problems at ICS-CERT with their handling of CVE links beyond the slow posting of information at NIST. The two CVE links in this report have typos in them that make them useless. Both are missing periods [.] between ‘nvd’ and ‘nist’. In the link for CVE-2011-4508 this causes the link to be truncated to Http://web.nvd. In the second CVE link it becomes Both links are useless. While neither CVE is active yet, the links should be:

No comments:

/* Use this with templates/template-twocol.html */