Another Crane-Sistrunk DNP Advisory from ICS-CERT

Today the DHS ICS-CERT published a control system advisory for an improper input validation vulnerability in the SUBNET Solutions Inc. SubSTATION Server software application. The vulnerability was reported by Adam Crane and Chris Sistrunk in yet another coordinated disclosure.

ICS-CERT reports that a moderately skilled attacker could remotely exploit the vulnerability to execute a denial of service attack. SUBNET Solutions has produced an upgraded version of the software that is available by contacting the company. ICS-CERT reports that SUBNET has self-certified the efficacy of their revision.

BTW: There are still 15 ‘pending’ vulnerability reports on the Project Robus web site; the number does not seem to be increasing. As I understand it Adam and Chris have taken a brief sabbatical from identifying new vulnerabilities to help re-write portions of the DNP protocol to help eliminate these problems. Hopefully when that is done they will select a new target for their interests.