Some housekeeping was performed on the Project Robus site this morning to account for some pending tickets that may (or definitely will not) result in advisories. There are various reasons why this occurs.
DNP3 vulnerability #19 was from a source code library supplied by a company called SystemCORP. Upon request, they supplied us with an evaluation copy of a Windows DLL for their outstation. We reported an “infinite-loop” vulnerability to the vendor and ICS-CERT on August 6th of last year. Since that time, the vendor has stopped communicating with the Robus team or ICS-CERT. I don’t really see the point of disclosing the vulnerability itself, but those considering using their products should know that this is what they might expect in the future. This company also sells solutions for 61850, IEC 60870, Modbus, etc… you get the idea. They have some explaining to do to their existing customer base. There were also claims that the product isn’t sold into US markets. Considering that they’re a source code provider and not an embedded device vendor, I don’t really see how they make this distinction. Regardless, I hope this firm is using the first fuzzer release to good effect.
DNP3 vulnerability #20 was found in a fairly new RTU product from a major vendor. We found an issue with the master implementation that required manual intervention to reset the fault. The vendor had only a couple customers using a very early version of the firmware. In these situations, an advisory serves little purpose since the all customers can be notified quickly, directly, and discreetly. This was a great find for the project and the vendor because we were able to eliminate a bug prior to mass deployment.