RA Security email

Has anyone else received emails from RA about DoS security..

The links in the email look OK to me, but always wary about email links...

I got one and it should be valid email.

Yea I got one but haven't looked at it much yet.

the email says i should follow the link and "reset my password" - looks dubious to me

If you read it again, it points users to the knowledgebase to read a full copy.
If you have no knowledgebase login then you can get it by using reset password link.

For those who do NOT have a Knowledgebase account, we have established one for you as part of this mailing.

Click to expand...

You simply need to read TN 970074

Contr_Conn said:

If you read it again, it points users to the knowledgebase to read a full copy.
If you have no knowledgebase login then you can get it by using reset password link.


You simply need to read TN 970074

Click to expand...

I entered the KB manually not from the email link, and yes a search reveals the DoS vulnerability article, so if anyone else is watching the email link is valid.

What I don't like is RA telling the world the vulnerability they have found, almost telling the bad people how to use it to their advantage....

RA knowledgebase article : access level Everyone said:

An exploit of this vulnerability could induce a fault condition, and may also allow an attacker to execute code on a target controller through a buffer overflow. As of this announcement and to the knowledge of Rockwell Automation, there is no publicly available exploit code relating to this vulnerability.

Click to expand...

was that a good move ?

daba said:

What I don't like is RA telling the world the vulnerability they have found, almost telling the bad people how to use it to their advantage....

was that a good move ?

Click to expand...

I think it's generally assumed that bad guys already know things, even if no exploit code has been found in the wild. Releasing the information just levels the playing field for the good guys. If you know what it is, you can try to mitigate it.

Haven't read the details of this specific vulnerability, but many vulnerabilities from all brands can be found here, at a government website:
https://ics-cert.us-cert.gov/advisories-by-vendor

Well it seems from that website that specific vulnerability (or another similar) was know about in October 2011....

My point is...

"no-one has got into my house, even though I leave a key under the third flower-pot in my back yard" - not a bright disclosure...

even if the bad guys were guessing, and spending hours trying to find the way in, publishing enough detail to make their sad lives easier doesn't seem right....

we, the users, don't need to know specifics about how vulnerabilities can be exploited when we have no control or means to mitigate them.

sure, tell us that security issues exist, and tell us to upgrade to Version XX.X on our platforms to close the doors, but don't tell the whole world how the security could be breached, that is not important information for the end-user. all he needs to know is how to lock the doors.

you've made the assumption that the bad guys know this vulnerability, that's like saying...

"no-one has got into my house yet, even though I already told you I leave a key under the third flower-pot in my back yard - come on guys, break in, but be aware everyone now knows you are coming, and how you are getting in"

I don't see a problem with their statement. It's adds urgency and realism to it: "wow, this is a real threat and I better update".
Gets people talking and thinking about it.

Would you update if they just said "There is a possible security flaw and we recommend that you update"?

For 1 plc?
For 20 plcs and a plant shutdown?
For 100 plcs across multiple customers using your machine?


I'm just saying, their email got you fired up enough to start this thread; which is helping to spread the word that everyone needs to update.
And I'm sure it helps reduce their liability "we told you so".

arlenjacobs said:

I don't see a problem with their statement. It's adds urgency and realism to it: "wow, this is a real threat and I better update".
Gets people talking and thinking about it.

Would you update if they just said "There is a possible security flaw and we recommend that you update"?

For 1 plc?
For 20 plcs and a plant shutdown?
For 100 plcs across multiple customers using your machine?


I'm just saying, their email got you fired up enough to start this thread; which is helping to spread the word that everyone needs to update.
And I'm sure it helps reduce their liability "we told you so".

Click to expand...

It only adds urgency and realism because they've disclosed the route-map...

At the time they posted this vulnerability, they said they had no evidence of any attacks, but I believe they have set off a time-bomb.

A bomb that is ticking, while people frantically update their installations, hoping that no bad guys can use the information they provided, free-of-charge, before they get their 1, 10, 100 systems secured. I'm sure in a big organisation such an upgrade across their installations could take weeks, even months... meanwhile.... systems are exposed, and the exploit path is now common knowledge because they thought it was "right" to tell everyone "how".... Their customers could have been told of the urgency without lighting the fuse....

I still maintain it was not a smart move to give the level of detail they did..... The bad guys don't need, or deserve, any help.

It seems pretty vague in its description to me. No where near as specific as your example of "a key under the third flower-pot in my back yard".

Tharon said:

It seems pretty vague in its description to me. No where near as specific as your example of "a key under the third flower-pot in my back yard".

Click to expand...

It's not vague - it's worse than that... my example would be in context if a bad guy was targeting only my property - their disclosure of how an exploit could be deployed is anyone's property - sort of like telling the community that everyone puts their key under the third flower-pot...