Earlier today the DHS ICS-CERT published an updated
version of their advisory
from December that reported mitigations in response to the original
ICS-CERT alert from August and an
update of that alert in September. If that seems confusing, try this; today’s
update notes that “ROS Update V3.12 has been produced to mitigate these issues”
but the Ruggedcom
web site reports that V3.12 became available on December 7th,
2012; eleven days before the original advisory was published. It looks like
this update should have been included in the original advisory.
BTW: There is still no word on a more permanent fix for the
HTTPS/SSL service beyond disabling the service that is still being reported in
this updated advisory.
BTW Again: There is no mention in this updated advisory that
Justin Clarke, the researcher who reported the vulnerability in the first
place, has had a chance to review the V3.12 update to verify that it mitigates
the reported vulnerabilities.
Posts
No comments:
Post a Comment