Yesterday DHS ICS-CERT published an advisory for the Emerson DeltaV service based upon a
coordinated disclosure by Kuang-Chun Hung of the Security Research and Service
Institute-Information and Communication Security Technology Center (ICST). The advisory
concerns a buffer overflow vulnerability that could allow a relatively low
skilled attacker to send a specially crafted string to a specific (but unnamed)
port that could crash the system.
Emerson has crafted a hot fix for the problem that has been verified
to be effective by ICST. According to the advisory (which was published earlier
on the US-CERT restricted portal) Emerson contacted system owners with a
notification about the problem and solution. This is the first time that I have
seen an advisory note that the vendor directly communicated a vulnerability to
system owners; I would like to think that ICS-CERT has simply overlooked
mentioning this fact in other cases. If that is not the case, Emerson deserves
special kudos for this action and hopefully this starts a trend.
Posts
No comments:
Post a Comment