Yesterday the DHS ICS-CERT published another web browser (no
not IE9) advisory,
this time with Fultek WinTR (a Turkish web based SCADA system). The directory
traversal vulnerability was reported by Daiki Fukumori of Cyber Defense
Institute. Fultek has not verified the vulnerability (ICS-CERT has) and has not
offered any mitigations (since they don’t have a problem why should they fix
it).
The Vulnerability
This is an increasingly common (read: it is being increasing
reported) vulnerability (CVE-2012-3011)
in SCADA/ICS web browsers. The web server does not adequately sanitize user
inputs allowing relatively unskilled attackers to retrieve arbitrary files from
the server. There is nothing in this advisory that describes the limits of what
files could be retrieved.
Denying Vulnerabilities
As far as I can tell this is the first time the ICS-CERT has
published an advisory for a vulnerability that the vendor has denied exits.
There have been alerts and advisories where the researcher blew the whistle in
the situation, but not one where ICS-CERT called out the vendor. I think that
this is a good move on their part for a number of reasons. First it makes it
easier for ICS-CERT to convince researchers to coordinate their disclosures.
Second, and maybe most important in my opinion, is that it provides a little
more pressure on recalcitrant vendors to respond more promptly to fix the
vulnerabilities identified.
Kudos to ICS-CERT for publishing this Advisory.
Posts
No comments:
Post a Comment