ICS-CERT updated their Advisory ICSA-11-094-02A – Advantech/Broadwin WebAccess RPC Vulnerability last week, and inspired us to start our Insecure Products List. The update was short but serious:
“Advantech/BroadWin has notified ICS-CERT that a patch will not be issued to address this vulnerability.”
This is a remotely exploitable vulnerability that Ruben Santamarta, @reversemode, found and even issued exploit code to remove any doubt. What is the appropriate response from DHS, ICS-CERT and the ICS security community at large to this?
Before answering that, there are at least two common, and I’d argue legitimate, business reasons why a vendor would choose not to patch a vulnerability. First, the product has been superseded by a newer product and is in an end of life phase. Hopefully the vendor has provided multi-year warning that support is going away. Second, the product has so many design flaws that there is no hope for securing it, and the vendor has notified customers they are going to move to a newer model if they want security. Last decade there were some major products from major companies that were forced to admit to their user groups they could not be secured.
Next stop was to the Advantech and BroadWin websites to see how they were characterizing the vulnerability and their decision not to fix it. . . . . Complete silence on this issue. Come on in and buy the product. It’s great.
ICS-CERT and DHS have been very helpful in forcing an answer from Advantech and publishing it, but how long will this response will aged off their page and forgotten … less than a month at the current pace of ICS vulns. So it is likely that many customers considering and purchasing the product will never know they have bought a system that can be easily exploited.
DHS recent stance that insecure by design products, even those that are remotely exploitable because they lack any security controls, are not going to be considered vulnerabilities makes it difficult for them to come down hard on Advantech or any other product that has known exploits. Still it seems like more should be done than a one line update in an advisory.
Any ideas from loyal readers?
Image by Nesher Guy