This afternoon the DHS ICS-CERT published an advisory
for multiple stack-based buffer overflow vulnerabilities in the Advantech WebAccess
application. The vulnerabilities were originally reported by Praveen Darshanam.
According to ICS-CERT Advantech is planning on releasing a new version that
mitigates the vulnerabilities.
ICS-CERT reports that a relatively unskilled attacker could
use publicly available proof of concept code to remotely exploit these
vulnerabilities to crash the application or execute arbitrary code.
Darshanam published
the vulnerabilities with exploit code for each of the four vulnerable ActiveX
components on the SCADASEC list yesterday. He explained the reason for publicly
releasing the vulnerabilities this way:
“Vulnerabilities were reported to
Advantech sometime in January/February 2015, coordinated through CSOC (Australian
Cyber Operations Centre) Security. From April 2015 they has been postponing
the fix.”
Once again a company that does not work with a security researcher
to fix vulnerabilities in its product finds that the researcher can publicly embarrass
them. How long is it going to be before the users of control systems can count
on their vendors (all of their vendors) to promptly respond to vulnerabilities
identified in their products?
1 comment:
Probably well-intentioned. But ignorant and dangerous. I thought we'd be past this sort of behavior from researchers by now.
Sure, let people know "there's a problem". But give it more than six months (that's shorter than the possible patch cycle in many plants). And don't give hand out the skeleton key that unlocks the door. Let's make it just a little more difficult than that.
Post a Comment