bug

It was a great week in Indianapolis at ICSJWG / SCADASides, but the most exciting moment for me came on Tuesday when ICS-CERT released a DNP3 vulnerability advisory. Threatpost picked it up and published an article.  I’m not sure what made the advisory an attractive topic for Threatpost because they completely missed the most interesting aspect; Chris and I didn’t report the vulnerability and had no idea the advisory was coming out!

COPA-DATA used the Aegis 0.1.0 fuzzer released in March to test and self-report a vulnerability to ICS-CERT.  They were even kind enough to credit Chris and I with the tool.  We really can’t ask for more from our vendors.  You clearly care, you know what process to follow, and you’re doing some level of threat intelligence on your own product lines.  Thank you COPA-DATA.

We didn’t receive any questions on the operation of the tool from COPA-DATA. This meant the tool was easy enough to use and the documentation was sufficient. This made Chris and I feel really good about the value we’d provided.

There are hundreds of latent vulnerabilities this fuzzer is capable of finding, if only vendors would use it.  What percentage of these vulnerabilities will be identified, patched, and reported? Where are the major vendors whose systems we didn’t test, but almost certainly have defects? Are they in the queue with ICS-CERT?  I could provide a long list of things I know are currently vulnerable just based on vulnerabilities found in source code libraries. The next six months will tell us who’s paying attention and who is willing to self-report. Listen carefully and read between the lines.