Wednesday, May 16, 2012

Uncoordinated Luigi Again


Yesterday the folks at DHS ICS-CERT published an alert based upon an uncoordinated disclosure (NOTE: for some reason this link is on Luigi’s alternate site) by Luigi; obviously he hasn’t completely given up his independent disclosure ways. The alert concerns the Wonderware SuiteLink communications protocol. The vulnerability is an unallocated Unicode string vulnerability that can lead to remotely executed denial of service attack. Luigi calls it a ‘resource consumption’ vulnerability in newer versions of SuiteLink.

Wonderware has acknowledged the vulnerability and has system-specific mitigation upgrades available on their web site for some of the affected products. They are continuing to work on a ‘standalone update tool’ that will be useable across the product line. This looks like a really quick response to an uncoordinated disclosure; they must have known about the vulnerability already.

NOTE: For a variety of reasons I have missed reporting on a few of the more recent ICS-
CERT advisories. They include:

ICSA-12-122-01 — WellinTech KingView DLL Hijack Vulnerability

ICSA-12-129-01 - WellinTech KingSCADA Insecure Password Encryption

ICSA-12-131-01 - Progea Movicon Memory Corruption


Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 
/* Use this with templates/template-twocol.html */