Yesterday the DHS ICS-CERT published in its first control
system alert in three months. It identifies two ActiveX vulnerabilities in the WellinTech
KingView SCADA/HMI interface. While not credited in the Alert, the
vulnerabilities were reported by Blake in twin reports (here and here) on Exploit-DB.com on
September 4th in an uncoordinated disclosure.
There is also news about an ICS certification program being developed.
WellinTech Alert
The ICS-CERT alert notes that the reports state that the
twin vulnerabilities (KChartXY and SuperGrid) are both remotely exploitable
with exploit code publicly available and would apparently allow for
overrighting arbitrary code. The alert also notes that the researcher provided mitigation
measures (setting the kill-bits on the controls) but does not provide links for
those claims (here and here).
I am disappointed that ICS-CERT has reverted to their old
policy of not identifying researchers responsible for uncoordinated
disclosures. While ICS-CERT would certainly prefer that disclosures are
coordinated with vendors so that fixes could be put into place before the vulnerabilities
are publicly disclosed, they must be aware that independent researchers rely on
either public accolades or on selling their discovered vulnerabilities for the
reward for their work. I would much rather see them get public accolades for
uncoordinated disclosure than have them sell the vulnerabilities on the black
market.
This is not the first ActiveX control vulnerability found in
the KingView product. An earlier ICS-CERT Alert was released in 2011
and the subsequent Advisory was released later
that year.
BTW: ICS-CERT now
provides sorting of Advisories and Alerts by vendor.
Control System
Certification
ICS-CERT also added a brief new
article to their web site about a DarkReading.com
article about the recent announcement by Global Information Assurance
Certification (GIAC) that they were developing the Global
Industrial Cyber Security Professional (GICSP) certification to be released
this fall.
Posts
No comments:
Post a Comment