The risk is the asset owners so they need the information to make a decision. They may decide the features do not warrant an upgrade, but if the security issue was disclosed they may reach a different decision. An asset owner does not have the information to determine if they should upgrade or not. This is a classic example of the silent fix. I checked with friends who had access to this site, and they found no notice. Not even on their limited accss support site. To the best of my knowledge, prior to our disclosure to US-CERT Wonderware had not disclosed, nor did they intend to disclose, the vulnerability. It was only when I told them this vulnerability was being reported to US-CERT and we wer just trying to be accurate on their disclosure to date that the tenor changed. I contacted Wonderware and got the same answer, and they felt the case was closed. Still no answer to the question of whether Wonderware had told their customers or planned on telling their customers.Īt this point Xavi asked for our assistance in working the issue with Wonderware and US-CERT if appropriate. They said the product is just a “toolbox”, and it is impossible for them to control how customers use the product. They mentioned customers with support contracts could upgrade to 9.0. The whitepaper did not address the vulnerability. They sent out a very large whitepaper “Securing Industrial Control Systems” and implied that customers needed to read this to fix the vulnerability. Given the long lifecycle of control system devices and applications there will likely be 8.0 systems for at least another five years. What was Wonderware going to do to notify InTouch 8.0 customers of the vulnerability and the fix?Īfter all, InTouch 8.0 is still being sold to existing users through the end of the year. A solution to remove the vulnerability and a reasonably prompt vendor response by disclosure standards. After some back and forth, Wonderware indicated in June that the vulnerability was not present in InTouch 9.0 and Xavi was able to verify this. On April 17th Xavier Panadero of Neutralbit contacted Wonderware about the InTouch 8.0 vulnerability.
Our approach is to let a coordination center, US-CERT in this case, determine what disclosure is appropriate.
Saga may be overstated since the process did not take that long, but it was a classic example of why we don’t agree with leaving disclosure decisions up to the vendor – – or the researcher.
0 kommentar(er)
