Earlier today the DHS ICS-CERT published an
advisory for the HeartBleed vulnerability in various products from Digi. I
discussed most of this information in my
last HeartBleed post. New information: ICS-CERT reports that firmware
updates are available “for most vulnerable Digi International devices”, but
does not provide a list. The link provided takes one to a generic product
support page where you enter your product name or select a key word to search
for; neither HeartBleed nor OpenSSL are available terms.
ICS-CERT is again publishing a HeartBleed advisory without
updating their Situational Awareness Alert. I almost don’t blame them as they would
be quickly going to have to go to double letters to identify new updates if
they updated the SA every time new information became available.
It would probably have been better to have had a HeartBleed
web page to keep updating with new information on vulnerable, formerly
vulnerable, and not vulnerable ICS products. Joel Langill over at SCADAHacker.com takes that type of approach.
He is currently listing two ‘new’ ICS related vendors, Certes Networks and
Unified Automation, as having products with HeartBleed vulnerabilities.
A reader of this blog, Rob Hulsebos, posted
a comment on the LinkedIn Cyber Security in Real Time Systems group
providing links to HeartBleed information for Emerson, and Insys.
There is probably more ICS HeartBleed information out there
if you have the time to search. It sure would be nice if ICS-CERT were doing
that for the community.
Posts
No comments:
Post a Comment