1 Update Published – 9-24-20

 Today the CISA NCCIC-ICS published an update for a control system security advisory for products from 3S.

CODESYS Update

This update provides additional information on an advisory that was originally published on January 11^th, 2013. The new information includes:

• Adding CODESYS Control RTE to list of affected products,

• For CVE-2012-6068, replaced the ‘CVSS v2 base score of 10.0’ with the ‘CVSS v3 base score of 9.8’ along with the associated changes in CVSS vector string, and

• For CVE-2012-6069, replaced the ‘CVSS v2 base score of 10.0’ with the ‘CVSS v3 base score of 10.0’ along with the associated changes in CVSS vector string.

The update is a bit more complicated than that as NCCIC-ICS partially updated the format of the advisory to reflect a number of editorial changes made in the last seven years.

Commentary

Okay, a little background is in order on this ancient (in cyber years, but not as ancient in control system years) advisory. The CVE-2012-6068 vulnerability was initially reported by Reid Wightman at AppSec DC in April 2012. Dale Peterson has an excellent write up of the importance of this vulnerability over on DigitalBond. ICS-CERT published an Alert about the vulnerability on April 6^th, 2012 and then updated that Alert on October 26^th, 2012 to reflect the publication of two exploit tools by Reid. Eventually (January 11^th, 2013) ICS-CERT upgraded the Alert to the Advisory that was updated today. Oh, BTW, the 3S advisory for these vulnerabilities is no longer on their Security Reports web page; they only go back to February 14^th, 2017.

It seems a little more than odd that 3S would add a product to the affected product list seven+ years later. They either just now realized that the product was affected even though it was apparently ‘fixed’ at the same time as the other two affected products were, or they knew all along and just did not want to tell anyone about the problem in that product since it had not been identified by Reid. In either case it just emphasizes the apparent lack of concern at 3S about device security. And that is very disconcerting given the number of other vendors that use these affected products.