Two days ago ICS-CERT published a minor update to their alert
from August, 2015 for a hard-coded password vulnerability in KACO HMI products.
The revised version added a single sentence to the summary portion of the
Alert:
“According to this report, the
password is easily found in the client code.”
I have no idea why ICS-CERT thought that this was important
enough to add to the alert seven months after it was originally published. I
suppose that it could be because KAKO has not been responsive enough in
addressing this vulnerability.
Readers of this blog might be more than a little surprised
that it has taken me two days to report on this update. The reason for that is
simple, I just received an email this morning from ICS-CERT advising me of the
recent update; this notification is a service that anyone can sign up for and I
have previously mentioned it. A couple of months ago ICS-CERT changed their
policy of listing updates to their alerts and advisories on their landing page. They had been making Twitter®
notifications of these revisions, but did not do so in this case.
There are a couple of other oddities about how they handled
this update. Normally ICS-CERT annotates changed versions of alerts and
advisories by sequentially adding a letter to the end of the advisory number;
for example, a first update would be labeled ICS-ALERT-16-074-XXA. They did not
do that in this case. Another thing that they normally do is to highlight the
changed areas in the body of the alert or advisory. Again, they did not do so
in this case.
Now, none of these irregularities has a real impact on the
information presented and in this case the change to the document is so minor
that perhaps they thought that all of these additional details were not needed.
Just for the record here is the personal web site of the researcher,
Aditya K Sood, who reported this vulnerability and a link to video of his
presentation where he publicly
disclosed this (and at least 3 other) HMI zero-days.
In any case there are muckrakers and nitpickers like me to
keep the public informed, so now you know about this minor change and the
oddities that go with it. I’ll leave it to the reader to figure out what this
all means.
No comments:
Post a Comment