We have two publicly disclosed industrial control system
product vulnerabilities this week that were not addressed by ICS-CERT; one
reported by a security researcher and the other self-reported by the vendor.
HP Vulnerability
On Wednesday Maor Shwartz from SecuriTeam described on FullDisclosure a
cross-site scripting vulnerability in the Hewlett Packard Baseline Smart Gig
SFP 24 ethernet switch. This product was acquired by HP from 3Com (3Com Baseline
Switch 2924 SFP Plus Switch) and is no longer supported, so no fix is forth
coming. The SecuriTeam
blog provides a proof of concept exploit for the vulnerability.
ABB Vulnerability
On Tuesday Joel Langill, on LinkedIn, pointed
out a cybersecurity
advisory from ABB on their FOX515T release 1.0 communications equipment. It
describes a local file inclusion vulnerability in the embedded web server. This
is another out-of-service product with no fix in the works.
Commentary
Joel and I had a brief discussion on LinkedIn about this
type of out-of-service vulnerability reporting. I had my typical snarky comment
about no one using out-of-service equipment in the ICS realm. Joel had a very
interesting reply:
“Like so many of the ICS-CERT
advisories. Still wonder why they waste valuable time on disclosures of
unsupported equipment. My lab is still a wealth of discovery and exploitation!
But I prefer to keep these vulns quiet.”
I have to vigorously disagree with Joel. I think that
someone needs to publicize these types of vulnerability reports because so many
facilities are actually continuing to use ‘outdated’ control system devices on
the ‘if it ain’t broke don’t fix it’ model. Depending on the severity of the
vulnerability (and the site-specific risk calculation) the disclosure of these
vulnerabilities may be just the ‘it is broke’ incentive that owners need to
replace the equipment to avoid the vulnerability. Holding these vulnerabilities
in-house (either at a researcher or vendor level) provides little service to
owners.
Now, there is a legitimate question if this is an
appropriate function for ICS-CERT to perform. I point at them as the default
government agency in the control system security realm, but they do not have a
specific mandate to do this nor do they have a specific mandate of any kind.
They are an agency created out of whole cloth by DHS without specific
authorization by Congress. A necessary move, to be sure, but there has been no
public discussion of, or political determination of, the specific role of the
organization. That really needs to change.
Posts
No comments:
Post a Comment