1 Advisory Published – 8-6-24

Today, CISA’s NCCIC-ICS published a control system security advisory for products from Delta. I also take a down-the-rabbit-hole look at the relationship between advisories from the Zero Day Initiative and CISA.

Delta Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Delta DIAScreen visualization software. The vulnerability was reported by Natnael Samson via the Zero Day Initiative. Delta has anew version that mitigates the vulnerability. There is no indication that Samson has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reported that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to cause a stack-based buffer overflow, resulting in execution of arbitrary code.

DTRH ZDI Reports

Whenever CISA notes that the researcher for a vulnerability worked with the Zero Day Initiative in disclosing the vulnerability, I turn to the ZDI web site to see if their advisory on the vulnerability is available. Most frequently ZDI advisories are not available on the day that CISA publishes their advisory. And that is the case today.

Interesting thing though, that page only shows the published advisories. They have a companion ‘Upcoming’ page for listings of vulnerabilities that have bee reported to them, but have not yet been publicly disclosed, keeping with their coordinated disclosure policy, the information disclosed on that page is very limited; vendor name, researcher name, CVSS Score, date reported, and the date they expect to publish their advisory. That last date is a ‘no earlier than’ date, when the vendor is working with them in good faith and have legitimate reasons to request a delay, ZDI withholds publication.

Looking on this page for Delta Electronics and Samson I find eight listings that were reported to ZDI on April 3^rd, 2024 and an expected publication date of August 1^st, 2024:

Note that the CVSS score for all eight ZDI vulnerabilities is 7.8, the same score that is being reported by CISA into today’s advisory.

Now if these vulnerabilities match up with CISA’s advisory (and that is currently just an assumption on my part) why would there be eight ZDI vulnerabilities and only one CISA vulnerability? Is CISA hiding something? I do not think so, CISA gains nothing from trying to hide vulnerabilities. What it looks like is that the researcher has found eight closely related stack-based buffer overflow vulnerabilities (in this particular case) in the same component of the vulnerable product. ZDI wants to give the researcher credit for finding all eight vulnerabilities.

CISA is not going to provide exploitable level data on the vulnerabilities. Since they all affect the same component (and assuming that the vendor is going to correct all eight), CISA has no reason to publish eight separate vulnerabilities since the owner/operators know that the product is vulnerable to a stack-based buffer overflow. That is CISA’s focus, ensuring that the users have the data they need to securely operate their equipment.

We can see another example of this happening with an earlier Delta Electronics advisory. CISA reported CVE-2024-39881. ZDI published six advisories for the same CVE: ZDI-CAN-23926, ZDI-CAN-23924, ZDI-CAN-23919, ZDI-CAN-23918, ZDI-CAN-23917, and ZDI-CAN-23842.