Earlier this afternoon, Chris, a reader of my Substack blog, CFSN Detailed Analysis, left a comment on my post there on Six Advisories Published – 8-24-23, a more detailed version of my post here, Review – Six Advisories Published – 8-24-23. Chris commented: “Thanks for noting the software supply chain aspect on the Rockwell Automation advisory. It was a good reminder that this vulnerability is still out there and is gradually being patched in drivers.”
He was commenting on my note at the end of the discussion
about the Rockwell input/output devices advisory.
I noted that:
“NCCIC-ICS published an advisory for this vulnerability in the Pyramid products. That advisory also listed another vendor (Weimueller) that was experiencing this vulnerability as a third-party vulnerability. Interestingly the NVD.NIST.gov listing for this vulnerability does not list the Weidmueller advisory.”
CISA’s advisory today did not mention the earlier discussion,
so most readers of today’s advisory would not understand the larger
significance of the vulnerability. This is one of the areas where NCCIC-ICS
(and its predecessor, ICS-CERT) have a mixed history in their information
sharing efforts.
CISA could have published today’s information as an update to the earlier Pyramid advisory, adding a reference to the Rockwell advisory where they addressed the earlier Weidmueller advisory. Unfortunately, that would not have drawn the same amount of attention as a new advisory for the Rockwell derivative vulnerability.
And this is the problem with 3rd party vulnerabilities. The vulnerability in a piece of relatively little-known software just does not capture much attention, even in the community. It isn’t until the derivative problem in a better-known product becomes public that there is much attention paid to the issue. But failing to clearly identify the source of the problem does not help.
But the larger issue that Chris identified in his comment is
that there are almost inevitably other products from other vendors that are
affected by the Pyramid vulnerability. Some of them are being fixed, without
notice, and others remain vulnerable. None of the advisories discussed here
address that issue.
No comments:
Post a Comment