Polski

SE-2011-01 Vendors status

This page presents current status of the communication process with vendors of affected technologies.

Vendors not responding to our email messages for 7+ days:

  • Advanced Digital Broadcast
    awaiting response to the message from 11-Jan-2012, last contact with the company on 07-Jan-2012
  • ITI Neovision
    awaiting response to the message from 01-Feb-2012, last contact with the company on 18-Jan-2012

Summary of the communication process:

  • 02-Jan-2012
- Initial requests for security contacts are sent to Onet.pl S.A, Advanced Digital Broadcast, STMicroelectronics, ITI Neovision, Conax AS, DreamLab Onet.pl S.A.
- Contact information received from Onet.pl S.A. and DreamLab Onet.pl S.A.
  • 03-Jan-2012
- Vulnerability Notices are sent to Onet.pl S.A (Issues 1-4) and DreamLab Onet.pl S.A. (Issue 24).
- Contact information received from ITI Neovision - awaiting response and PGP key.
  • 04-Jan-2012
- As a result of no response to our Jan 2nd inquiry, Advanced Digital Broadcast, STMicroelectronics and Conax AS are contacted again and asked for proper security contact.
- Request for confirmation of a successfull report decryption is sent to Onet.pl S.A. / DreamLab Onet.pl S.A.
- Onet.pl S.A. / DreamLab Onet.pl S.A. confirms successfull reception and decryption of vulnerability reports.
- Advanced Digital Broadcast responds to our contact inquiry.
- Contact information received from Conax AS to which Vulnerability Notices are sent (Issues 22-23).
- Conax AS confirms successfull reception and decryption of vulnerability reports.
- PGP key received from ITI Neovision to which Vulnerability Notices are sent (Issues 20-21).
- ITI Neovision confirms successfull reception and decryption of vulnerability reports.
- Contact information received from STMicroelectronics to which Vulnerability Notices are sent (Issues 17-19).
- Contact information received from Advanced Digital Broadcast to which Vulnerability Notices are sent (Issues 5-16).
  • 05-Jan-2012
- Requests for confirmation of successfull reports decryption are sent to Advanced Digital Broadcast and STMicroelectronics
  • 06-Jan-2012
- STMicroelectronics confirms successfull reception and decryption of vulnerability reports.
  • 07-Jan-2012
- Advanced Digital Broadcast confirms successfull reception and decryption of vulnerability reports.
  • 11-Jan-2012
- Inquiries about the impact of the reported vulnerabilities are sent to Advanced Digital Broadcast and STMicroelectronics.
  • 12-Jan-2012
- Request for status update regarding fixed bugs is sent to Onet.pl S.A. / DreamLab Onet.pl S.A.
  • 17-Jan-2012
- STMicroelectronics informs that no confidential information will be disclosed to Security Explorations in response to its impact inquiry (question about the list of vulnerable DVB chipsets models/versions, questions about set-top-box manufacturers and digital satellite TV providers relying on affected chipsets, etc.). STMicroelectronics informs that it is still under the process to analyse received data.
  • 23-Jan-2012
- Security Explorations asks STMicroelectronics whether the list of products vulnerable to reported security issues is also company's confidential information.
  • 01-Feb-2012
- Requests for status update / results of the analysis are sent to Onet.pl S.A, Advanced Digital Broadcast, ITI Neovision, Conax AS, DreamLab Onet.pl S.A.
- Onet.pl S.A / DreamLab Onet.pl S.A. confirm fixing of reported security issues (Issues 1-4 and 24).
  • 03-Feb-2012
- Conax AS provides the results of its analysis of reported issues. The company informs Security Explorations that it does not regard Issues 22 and 23 as security bugs. Issue 22 is assumed to be caused by a configuration feature of Conax CAS.
- Security Explorations responds to Conax AS and expresses a disagreement with the results of the company's analysis. Security Explorations provides its reasoning and asks Conax AS whether the company still considers reported issues 22 and 23 as non-security ones. Security Explorations also seeks for confirmation of the nature of Issue 22.
  • 22-Feb-2012
- Conax AS provides additional information regarding Issue 22. The company informs that upon additional data and analysis, Issue 22 is understood not to be caused by a previously assumed configuration feature of Conax CAS, but is the result of running the affected service in a way specific to older generation of Conax systems.
  • 16-Mar-2012
- STMicroelectronics informs that company's teams are completing analysis of the work and details provided by Security Explorations. The company asks for confirmation of one attack detail.
- Security Explorations confirms the attack detail to STMicroelectronics.
  • 22-Mar-2012
- STMicroelectronics asks for confirmation of one attack detail regarding Issue 18.
- Security Explorations responds that it cannot provide the confirmation and delivers its answer based on the conducted analysis and tests.
  • 23-Mar-2012
- Security Explorations provides STMicroelectronics with additional information / results of the tests regarding Issue 18.

Copyright 2008-2014 Security Explorations. All Rights Reserved.