This afternoon the DHS ICS-CERT updated the
advisory they published
yesterday for an improper input vulnerability in the Emerson HART DTMs.
Recent readers will be familiar with the revision published today; ICS-CERT reversed
their claim that; “Exploits that target this vulnerability are known to be
publicly available.” They now report that:
“No known public exploits specifically target this vulnerability.”
There was nothing in the Emerson
Security Report that mentioned the existence of exploits. I noted a BlackHat
2014 presentation about DTMs made by Alexander Bolshev, the researcher who
reported the vulnerability, but it does not actually show an exploit. Bolshev’s
S4x14 talk shows a number of HART exploits, but not one I can point to as
being this one.
I guess the key here is that Emerson probably complained
that there is no public exploit of the specific vulnerability reported in
this advisory. Not being able to point to a specific exploit, ICS-CERT was
forced to print their ‘correction’.
Posts
No comments:
Post a Comment