This afternoon the DHS ISC-CERT published an advisory
for multiple vulnerabilities in the 3S CoDeSys Gateway-Server application. The
vulnerabilities were reported by Aaron Portnoy
of Exodus Intelligence in a coordinated disclosure.
The Advisory
The reported vulnerabilities
include:
• Improper access of indexable
resource, CVE-2012-4704;
• Directory or path traversal, CVE-2012-4705;
• Heap-based buffer overflow, CVE-2012-4706;
• Improper restriction of
operations within the bounds of a memory buffer, CVE-2012-4707;
and
• Stack-based buffer overflow, CVE-2012-4708.
NOTE: the CVE links may not be active for a couple of days;
NIST uses this report to populate the CVE file.
ICS-CERT reports that a moderately skilled attacker could
remotely exploit these vulnerabilities to crash the system or exploit arbitrary
code. 3S has produced a patch that ICS-CERT reports mitigates these
vulnerabilities.
Exploits Code Available?
The advisory states that there are no publicly available
exploits for these vulnerabilities. Given that they were reported by Exodus
Intelligence, I am not so sure that that is the case. Readers will remember my
comment on the Exodus business model in an earlier
blog post. EI provides their customers with exploit code for all of their ‘responsibly
reported’ discoveries either just after the vulnerabilities are reported or
when the vendor reports the vulnerabilities. Now this might not fit the ‘publicly
available’ definition that ICS-CERT is using this week, but it looked like it
did last week with the Schneider advisory.
Posts
No comments:
Post a Comment