This afternoon the DHS ICS-CERT updated the advisory that it had issued earlier this week for the Siemens RuggedCom Devices. The update corrects an error in list of affected products.
The original advisory listed “RuggedCom devices with ROX: All firmware versions prior to v2.6.3”. The new version shows “RuggedCom devices with ROX II: All firmware versions” and then specifically notes that “ROX I” devices are not affected. This change reflects the information that was printed in the original Siemens Advisory and is not because of any change initiated by Siemens.
I learned of the updated version from a Tweet made by ICS-CERT. The changed advisory is not on top of the list of advisories provided on their landing page that would typically indicate that it was added today. What has been done is that the original listing made on July 21st has been changed to reflect the new advisory number (‘A’ added to the end of the original) and has the words “Update A” added at the end of the title.
Since we saw the same thing last week with the updated Schneider advisory, I think that this may reflect a change in the way that ICS-CERT is running their list of vulnerabilities. The list on the landing page will only show the vulnerability listing on its original order making it very difficult to tell when an advisory is updated. And the older advisories drop off the landing page as new ones are added. Fortunately they are announcing the updates on Twitter (@ICS-CERT) so we can keep track of them that way as long as they continue to do this.