This afternoon the DHS ICS-CERT published an
advisory for a self-reported privilege escalation vulnerability in the
Siemens COMOS database application. I assume that it is self-reported from the
wording of the ICS-CERT advisory. The Siemens
Product-CERT advisory says that “Siemens was notified of a vulnerability”,
but no information was provided about a researcher responsible for the
notification, so it appears that it was an internal notification.
ICS-CERT reports that a relatively low-skilled attacker with
authenticated system access could use this vulnerability to escalate their
access to system engineering files. This is not strictly speaking a control
system vulnerability, but information available from the system could be used
to make an attack on a control system more effective.
Siemens has developed a patch for this vulnerability. Since
this is a self-reported vulnerability there is no expectation that there will
be an independent verification of the efficacy of the patch.
NOTE: Siemens reports the publication date of their advisory
as August 9th, 2013. There seems to be an increasing delay in
ICS-CERT publishing advisories about self-reported disclosures and coordinated
disclosures that are not coordinated through ICS-CERT. I am not sure if this is
a funding issue or just a failure of ICS-CERT to routinely check vendor
disclosure sites. I suppose that whether or not that is a problem depends on
how many organizations are actually depending on ICS-CERT for vulnerability
notification.
Posts
No comments:
Post a Comment