Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Vulnerabilities in some SCADA server softwares
From: Simple Nomad <thegnome () nmrc org>
Date: Wed, 23 Mar 2011 14:33:48 -0500

On 03/23/2011 01:36 PM, J. Oquendo wrote:
You're flawed in your response: "Public exposure increases the
visibility, and therefore customersinstall the patches quicker." ...
When someone "full discloses" a vulnerability, there is no patch to
install quicker. This is obvious because there is no patch until either
the vendor releases one, or staff using the product are capable of
creating a work-around. In the case of the SCADA environment, we (again)
are not talking about the potential of a defacement, blue screen, silly
shell, we're talking about sensor, gears and often so much automation
that it would be absurd for a SCADA engineer to "go it alone" and try
create their own patch. Many of these systems don't have the option of
failing or being taken offline. You also state: "Without public
visibility, they will keep running the old code" the reality is, no one
is going to outright replace some of these systems in these
environments. These are not applications and or systems one can plop
onto donated boxes. They have no choice BUT to run the code.

Actually they have the choice to not run SCADA systems open to the Internet. If they are so critical that you are "playing with fire" like you mentioned in another email, why would they be accessible via script kiddie attack, or any remote over-the-tubes attack? Running SCADA systems open to the entire Internet is what I would call irresponsible.

At this point, it is academic anyway. The cat is out of the bag. Thanks Luigi, I at least know about these issues now.

-SN


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault