Wednesday, May 16, 2012

Uncoordinated Luigi Again

Yesterday the folks at DHS ICS-CERT published an alert based upon an uncoordinated disclosure (NOTE: for some reason this link is on Luigi’s alternate site) by Luigi; obviously he hasn’t completely given up his independent disclosure ways. The alert concerns the Wonderware SuiteLink communications protocol. The vulnerability is an unallocated Unicode string vulnerability that can lead to remotely executed denial of service attack. Luigi calls it a ‘resource consumption’ vulnerability in newer versions of SuiteLink.

Wonderware has acknowledged the vulnerability and has system-specific mitigation upgrades available on their web site for some of the affected products. They are continuing to work on a ‘standalone update tool’ that will be useable across the product line. This looks like a really quick response to an uncoordinated disclosure; they must have known about the vulnerability already.

NOTE: For a variety of reasons I have missed reporting on a few of the more recent ICS-
CERT advisories. They include:

No comments:

/* Use this with templates/template-twocol.html */