INL has “completed” a security assessment of LiveData ICCP server. “The project identified one vulnerability, which was remedied and patched in the field without any adverse impact on existing installations.”
This is interesting. How did LiveData notify its customers of the vulnerability and patch? An update from 27 Nov 2007 is on their site, but no detail is available on what the maintenance release is for. Perhaps it is in another document or area.
LiveData’s ICCP stack is used in a variety of systems including Invensys and Telvent. Do LiveData’s OEM customers know of the vulnerability and patch? Do they plan to contact their customers?
As we have said before, the community really has no way of evaluating what an INL security assessment means since the methodology and results are not public. Any testing is an improvement so this is a net plus.
ICCP is of particular interest to Digital Bond since a very small review, using Matt’s iccpsic, of the attack surface easily found vulnerabilities in earlier versions of the LiveData ICCP server.