A person independent of Measuresoft who is not a customer downloaded Version 4.0.0 the demo version of ScadaPro product and without his firewall active observed that TCP port 11234 was opened by the ScadaPro service. The individual concerned then sent corrupt packets to this port, and published the problems arising as a security vulnerability without notifying Measuresoft.

Our position is that the reported vulnerability was tested out of normal context and is inaccurate for the following reasons:

1)      Windows firewalls blocks this port automatically and end users must take definitive action bypassing all Windows warnings to allow traffic on this port.

2)      All versions of ScadaPro up to and including Version 4.0.0 do not require this port to be open to operate and normally uses alternate more secure communication methods by default.

The reason for the port being made available was for legacy Windows operating systems like Windows 95 and Windows CE which did not offer alternate secure network communication methods. We have produced 4.0.1 Version of our server product as part of the official release on our web site which no longer provides communication by default on TCP port 11234. All users with 4.0.0 maintenance can download this version free of charge. Version 4.0.1 does and Version 4.4.0 onwards will allow the user to switch on the port in the registry if required.

Ethical hacking ensures that the person being attacked is aware of the attack which was not the case in this instance. Measuresoft are  seriously concerned that individuals acting independently and without advice from vendors or warning to vendors have managed to publish information about products gathered during informal tests which in turn have been published as fact without formal verification by security product providers. The US Department of Homeland Security initially made Measuresoft aware of the original report and encouraged Measuresoft to respond quickly to these reports which we did within two days.