This afternoon the DHS ICS-CERT published an unusual update of an advisory that was published last month for a weak cryptography for password vulnerability in the RuggedCom operating system (ROS). The update corrects a poorly worded notice in the overview section of the original advisory that claimed that RuggedCom had “produced new firmware versions that resolve the reported vulnerability” (pg 1). As I noted in my earlier blog on the advisory, that over stated the extent of the mitigation; as a close reading of the original advisory really did make clear.
The update also announces that firmware updates have been issued for additional versions of the ROS. At least one additional firmware update is scheduled to be released “within the next few weeks“ (pg 3). It will be interesting to see if an additional update is issued when that next firmware update becomes available. I had half-way expected to see one for each of the version updates listed in this advisory; hopefully there was some other communications methodology used to alert system owners when these firmware updates were made available (and a passive listing on the RuggedCom web site doesn’t hardly count).