This afternoon the folks at DHS ICS-CERT published an updated version of the RuggedCom alert that they published earlier this week. They added the following paragraph to the ‘mitigation’ section of the alert;
“ICS-CERT is coordinating with RuggedCom who has indicated that they intend to release a patch that removes the backdoor access to address this reported vulnerability. They plan to release this patch within the next month. In addition, RuggedCom has released a notification regarding this issue that can be accessed at http://www.ruggedcom.com/productbulletin/ros-security-page/.”
Less than a week to get this response from is fairly impressive, even if they have had the vulnerability information for just about a year now. Sometimes you just have to get someone’s attention.
Actually I would assume that they had been doing at least some work on the patch done since they were notified of the vulnerability. I would guess that it was a low priority project since it wasn’t going to be making the company any money. As long as the researchers wasn’t going public there wouldn’t be any real need to get the patch developed in a timely manner.
There is another potential explanation. The alert notes that RuggedCom was acquired by Siemens ‘earlier this year’. Given Siemens problems with vulnerabilities in their control systems it might seem that a company that was looking to be bought by Siemens might have a reason to ensure that a recently identified vulnerability didn’t make the news. It might even be a good idea to insure that the team doing a due-diligence inspection didn’t find out about the problems.
We won’t ever know which of the two possibilities (or maybe some other that I haven’t thought of) was really responsible for the delay in getting the development under way. In the long run, I guess it doesn’t really matter; a vulnerability has been identified and is being patched. Hopefully the bad guys won’t use it in the meantime.
Fortunately, the only people slower to exploit cybersecurity vulnerabilities than Congress are the terrorists. Hopefully it remains that way.