Thursday, December 8, 2011

ICS-CERT Updates 3S CoDeSys Alert

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) updated the alert on the 3S CoDeSys webserver that was published last week. The update adds three new vulnerabilities to that system that were reported by Luigi on his website on November 29th. Luigi’s report also included the Stack Based Buffer Overflow disclosed in the original alert.

DOS Attacks

The three new vulnerabilities all provide an attacker with the ability to remotely execute a DOS attack on the CoDeSys webserver. There are two null pointer vulnerabilities and an integer overflow vulnerability added to the alert.

Why Not a New Alert?

It is not clear why ICS-CERT is adding these vulnerabilities to the existing alert instead of issuing a new alert. Since ICS-CERT had already been coordinating with the previous researcher and the vendor on the buffer overflow vulnerability, adding these new vulnerability would probably just slow the mitigation process.

One possibility is that ICS-CERT is trying to put more pressure on CoDeSys to develop a patch for the current problem. That pre-supposes that the reason the original researcher, Celil Unuver of SignalSEC Labs,  decided to go public after initiating a coordinated disclosure was foot dragging on the part of CoDeSys. ICS-CERT did not say that that was a problem; it’s just inferred from the action of the researcher.

No comments:

/* Use this with templates/template-twocol.html */