Information Security News mailing list archives
Critical Infrastructure exploitable vulnerability will not be patched
From: InfoSec News <alerts () infosecnews org>
Date: Thu, 10 Nov 2011 02:15:27 -0600 (CST)
http://www.itwire.com/business-it-news/security/51019-critical-infrastructure-exploitable-vulnerability-will-not-be-patched By David Heath iTWire 09 November 2011In April this year, a vulnerability was discovered in a commonly used critical infrastructure Web Access product. Exploitable code was also made available. The manufacturer has announced that no patch will be released.
According to ISC-CERT, advisory ICSA-11-094-02A spells out the following:
“Independent security researcher Rubén Santamarta has identified details and released exploit code for a Remote Procedure Call (RPC) vulnerability in Advantech/BroadWin WebAccess. This is a web browser-based human-machine interface (HMI) product. This RPC vulnerability affects the WebAccess Network Service on 4592/TCP and allows remote code execution.
“Advantech/BroadWin has notified ICS-CERT that a patch will not be issued to address this vulnerability.”
Allow me to repeat that. A simple RPC exploit in software that is used for a variety of critical infrastructure projects WILL NOT BE PATCHED.
[...]
_____________________________________________________ Subscribe to InfoSec News - www.infosecnews.org http://www.infosecnews.org/mailman/listinfo/isn
Current thread:
- Critical Infrastructure exploitable vulnerability will not be patched InfoSec News (Nov 10)