http://www.itwire.com/business-it-news/security/51019-critical-infrastructure-exploitable-vulnerability-will-not-be-patched By David Heath iTWire 09 November 2011 In April this year, a vulnerability was discovered in a commonly used critical infrastructure Web Access product. Exploitable code was also made available. The manufacturer has announced that no patch will be released. According to ISC-CERT, advisory ICSA-11-094-02A spells out the following: “Independent security researcher Rubén Santamarta has identified details and released exploit code for a Remote Procedure Call (RPC) vulnerability in Advantech/BroadWin WebAccess. This is a web browser-based human-machine interface (HMI) product. This RPC vulnerability affects the WebAccess Network Service on 4592/TCP and allows remote code execution. “Advantech/BroadWin has notified ICS-CERT that a patch will not be issued to address this vulnerability.” Allow me to repeat that. A simple RPC exploit in software that is used for a variety of critical infrastructure projects WILL NOT BE PATCHED. [...] _____________________________________________________ Subscribe to InfoSec News - www.infosecnews.org http://www.infosecnews.org/mailman/listinfo/isnReceived on Thu Nov 10 2011 - 00:15:27 PST
This archive was generated by hypermail 2.2.0 : Thu Nov 10 2011 - 00:28:04 PST