Today the DHS ICS-CERT published an update for a control system advisory for Wind River VxWorks operating system that was originally published in June of last year and updated once before in November. The update extends the coverage of the vulnerability to five versions of the VXWorks 653 operating system for safety-critical applications. Wind River has produced updates for two of the affected versions that mitigate the TCP predictability vulnerability. The older versions are no longer supported.
I noted in the original post that ICS-CERT expected that other vendors that used affected versions of VXWorks would be coming forward with their own mitigations for this vulnerability as Schneider did with their Sage RTUs. Now almost 8 months after the original advisory was published, there have not yet been any other users of the affected versions of VXWorks. Somehow that just does not seem reasonable. Unfortunately, ICS-CERT has no authority to compel vendors to disclose operating system versions included in the products.
As has become usual with these advisory updates ICS-CERT does not mention this update on their landing page. They did, however, announce the update on TWITTER®.