SNOsoft/Netragard’s Kevin Finisterre recently released an Exploit, not Attack Code, to demonstrate that a critical vulnerability does exist in Citect‘s CitectSCADA product. This code was released so that users of the product could accurately determine their own level of risk and exposure as well as determine the seriousness of the risk it creates as it relates to their infrastructure. This code was released after the vendor, Citect, had created a fix for the vulnerability and after people had been given sufficient time to implement the fix.
It is important to understand that the risk to Infrastructural businesses existed well before Kevin released his exploit code and well before Core Security released their advisory. The risk was born the moment the programming error in the CitectSCADA product happened. When Core Security identified the risk and notified the vendor they began the process of defending Infrastructural businesses against attack.
Citect responded very rapidly and appropriately to Core’s discovery and released a fix for the issue. Shortly thereafter, Kevin created a working Proof of Concept (“Exploit”) […]