ICS-CERT Publishes Two Nearly Identical Advisories

Yesterday ICS-CERT published two nearly identical advisories for products made by 7-Technologies; TERMIS and AQUIS. They also published an update for the Advantech Alert published on Thursday.

7-Technologies Advisories

Both advisories identify a DLL Hijacking vulnerability in the systems that would allow a moderately skilled attacker to remotely exploit these vulnerabilities with the potential for execution of arbitrary code. 7T has developed separate patches for both systems.

Interestingly the TERMIS patch was released almost a month before the AQUIS patch, but ICS-CERT is publishing both advisories at the same time (and published both on their secure server on the same date last month). I would assume that 7T did not notify ICS-CERT about the earlier patch until the second patch was also available. This was probably done because a relatively intelligent hacker would have been able to quickly realize that the TERMIS vulnerability was also present in AQUIS.

The differences between the two advisories are trivial; the name and description of the affected software and the link to the patch are just about the limit of difference. ICS-CERT even provides the same (not yet active) CVE link for both advisories.

Advantech Alert

The update to the Advantech Alert adds two additional researchers, Rios and McCorkle, to the list of security researchers responsible for identifying the 18 vulnerabilities in the BroadWin WebAccess application.

ICS-CERT Terms of Use

ICS-CERT recently changed the working in the grey box at the bottom of the first page of these alerts and advisories. As late as February 14^th the wording was: “Please see the DHS Disclaimer notice, available here: http://www.us-cert.gov/privacy.html#notify”. That probably wasn’t getting much click through so it was changed on the February 15^th generic ICS alert to read: “This product is provided subject to the Terms of Use as indicated here: http://www.us-cert.gov/privacy.html#notify”.

Now I know (Sarcasm Alert) that everyone diligently reads and complies with all ‘Terms of Use’ requirements on every web site that that they click through. I do want to specifically note two items in their (US-CERT) “Terms of Use” section of the US-CERT Website Policies web site; their ‘permission to link’ requirements and ‘copywrite’ notice.

Their permission to link notice is relatively short so I’ll reproduce it in its entirety here:

“You may link to the US-CERT website by using "US-CERT" as a text hyperlink, provided the following text is included on the website: "This link is provided for informational purposes only and does not represent an endorsement by or affiliation with the Department of Homeland Security (DHS)." You are not permitted to use the US-CERT or DHS wordmark, logo, seal, or icon.”

I’m sorry, that doesn’t work for me (nor I’m assuming, very many other people). So, I am hereby providing public notice that I refuse to comply with the ‘permission to link’ requirements of US-CERT. I am relatively sure that the way I provide links to documents in this blog does not lead anyone to believe that I have or am claiming any affiliation with US-CERT or ICS-CERT. Using “US-CERT” as the text base for those alerts is just plain silly, it would interfere with readers clear understanding of what I was writing, and requiring me to use it is an infringement on my freedom of speech and/or expression.

Now as to the copyright permission limitations, I have always been taught that the Federal government cannot copyright any information that it produces. Now I have no intention of commercially reproducing the alerts or such that I find on the ICS-CERT web site nor would I typically consider posting a full copy of such documents on this blog or my web site (http://chemicalfacilitysecuritynews.com; not much there but I do use it to publish documents from time to time). I do provide quotes from US-CERT and ICS-CERT documents from time to time, but those would be governed by the fair use doctrine in any case and I think my attribution of those quotes is adequately clear to my readers.

So, in-short, I am pretty much going to ignore the ‘Copyright Permission’ as well. But I did think that these two requirements should be made clear to the remainder of the cybersecurity community so they could make their own determination of how they wanted to deal with this situation and didn’t run afoul of the Terms of Use by accident.