Today the DHS ICS-CERT published an
advisory for a pair of vulnerabilities in the COPA-Data zenon SCADA
software. This is the standard IP and Serial DNP3 communications
vulnerabilities that I have been referring to as the Crain-Sistrunk
vulnerabilities. Even though the advisory gives Crain and Sistrunk credit for
the discovery of the vulnerability in this product, a TWEET® from Adam Crain
informs us that COPA-Data bought his Aegis
fuzzer, used it on their product and self-reported the vulnerability. You
can’t ask for a better bit of advertising than that.
NOTE: According to a later TWEET, this was the free download version of the fuzzer that was used to discover these vulnerabilities. (Added 04:15, 6-4-14)
COPA-Data has developed a newer version of the affected
product that mitigates the vulnerabilities.
Posts
No comments:
Post a Comment