Friday, November 2, 2012

EOScada Alert from ICS-CERT

Yesterday DHS ICS-CERT published an advisory concerning multiple vulnerabilities in the EOScada application from C3-ilex based upon a coordinated disclosure from Dale Peterson of Digital Bond [Links added 11-03-12 06:30 EDT] (yep, it appears that even Dale will succumb to the temptation to coordinate a disclosure). Dale identified vulnerabilities on multiple ports related to improper access control, resource management errors (on two different ports) and data leakage.

The advisory reports that a low skilled attacker could remotely exploit these vulnerabilities. C3-ilex has produced a patch that is available to owners that have an up-to-date service agreement with the company. Other owners will have to pay for the patch. Yes, the advisory says that owners without a service agreement will have to pay to get these vulnerabilities that were due to design ineptitude corrected. I think that I would rather pay to replace the offending system and never do business with the vendor again.

I’ll bet that if Dale had known that this vendor would charge for patches he never would have been involved in a coordinated disclosure.

1 comment:

Anonymous said...

Whether you agree or disagree with his philosophy on the subject, Dale is a man of his word.

He claims that there are many more disclosures that he has not made because he was contractually obligated not to. I have no reason to doubt him.

However, when conducting an open investigation, I am pretty sure he believes sunshine is the best disinfectant. I prefer a coordinated disclosure via ICS-CERT; but even in cases like that I have clear experience of different ethical stances do which not work well together.

I think something as sensitive as industrial control systems should warrant staged disclosure via a vehicle such as ICS-CERT. Yes, they have room for improvement, but they're still the best (only) other alternative besides disclosing on your own, or selling vulnerabilities.

If nothing else, it shows reasonably civil intent. And in a law-suit hungry field such as this, it is a good alternative to going it alone.

/* Use this with templates/template-twocol.html */