This afternoon the DHS ICS-CERT published an
improper input validation (DNP3) advisory for the Elecsys Director Gateway
application. The vulnerability was reported by Crain-Sistrunk-Todorski (newest
member of the team) in a coordinated disclosure. Elecysy has developed a patch
to mitigate the vulnerability and the patch has been validated by Adam Crain.
ICS-CERT reports that a moderately skilled attacker could
remotely exploit the vulnerability to “to affect the availability of the DNP3
master slave communication in Elecsys Director Gateway
Devices”.
In addition to the patch, ICS-CERT notes that: “Because this
vulnerability is identified with fuzzing tools, the researchers suggest
developers use extensive negative testing during quality control of products.”
Hmm. Adam has been saying this on his
web site for about six months now; I wonder why ICS-CERT has now picked up
the refrain.
BTW: Adam has not changed the count of advisories on the
Robus web page. A tweet today
mentioned this as a “mini advisory” so maybe this isn’t included in the count
of 25 advisories that have been coordinated to-date. Or maybe Adam just got
tired of counting coup; no challenge anymore.
Posts
No comments:
Post a Comment