There was an interesting Twitversation yesterday
about the Yokogawa advisory that ICS-CERT published
Thursday. I noted that Yokogawa was to be commended for self-reporting the
vulnerabilities. Dale Peterson from DigitalBond noted that the security note published
by Yokogawa credited Rapid7 and another researcher with reporting the
vulnerability.
Readers of my blog post will recall that I quoted from the Yokogawa
report, so I was surprised that I missed their researcher acknowledgement.
I opened up the document
referenced in Dale’s Tweet® and it surely does credit Juan Vazquez of Rapid 7
and Julian Vilas Diaz with reporting the vulnerability. The only problem is
that that report is from March of 2014 and is not the document referenced in
the latest
ICS-CERT advisory. The report that Dale referenced is related to an ICS-CERT
advisory from May of last year.
The new advisory (from either ICS-CERT or Yokogawa) does not
provide enough details about the individual vulnerabilities to determine if
they are the same vulnerabilities reported last year. A closer look at the two
lists of covered products, however, does show that, for some of the listed
products at least, newer versions of the products are affected by the newer
advisory.
In any case, it is clear that Yokogawa has done a great deal
of work internally to identify the wide variety of products affected by these
three buffer overflows. That kind of product line investigation takes time and
resources and Yokogawa is to be commended for investing that kind of effort in
the internal security research effort.
Posts
No comments:
Post a Comment