mailing list archives
Re: Vulnerabilities in some SCADA server softwares
From: Simple Nomad <thegnome () nmrc org>
Date: Wed, 23 Mar 2011 15:51:23 -0500
On 03/23/2011 03:01 PM, Jim Harrison wrote:
BTW, now that you know about it and there is no defined mitigation, what
exactly*will* you do about it?
This seems rather obvious, but....
1. Ensure none of the affected SCADA systems are present on my work's
network (BTW none are present on my home LAN).
2. Ensure that these systems, if they exist, are not accessible from
either the Internet or even the local network where most of the users are.
(BTW those first two are a given as far as security 101 is concerned,
the rest seem like common sense)
3. Use Luigi's advisories and POC to understand the nature of the
4. Write custom IDS/IPS signatures to detect said vulnerabilities (not
the exploits, big difference).
5. *If* these systems must, for whatever stupid reason, be attached to
the regular LAN with the regular users, the IDS/IPS signatures will
disallow the malicious connectivity they detect. If I am really
paranoid, or feel that I cannot construct an adequate mitigation
strategy that allows access, then all access is disallowed until a patch
6. *If* the systems are not accessible, but in the future they have to
be, for whatever stupid reason, I have some sigs and some steps I can take.
Is that perfect? No of course not. Can I sell this plan to upper
management? Sure. All of the "bad" info is public, remember? Can I now
lean on the vendor and bitch about how vulnerable we are? Absolutely.
I have worked at large corporations, done full/limited/responsible
disclosure professionally and as a hobby, and have worked for vendors
who sold security solutions and who have had bugs in their products
reported to them. There is no solution for bug disclosure, period.
Someone somewhere will get pissed off, and no matter what the "rules"
are someone will break them.
The disclosure method is irrelevant actually. One learns to adapt
quickly to new information whether "good" or "bad", or dies standing
around bitching about something that didn't go their way they can't
Re: Vulnerabilities in some SCADA server softwares Kent Borg (Mar 23)