Earlier today the DHS ICS-CERT published an update (#4) for
the Siemens OpenSSL advisory that was last updated in August. It ignored
updates for a RuggedCom certificate verification vulnerability (ICSA-14-135-03)
originally
published in May and an update for the Siemens GNU Bash vulnerability that
ICS-CERT still has not reported. Batting 1 for 3 in baseball is pretty good; in
security it SUCKS. All three updates were published yesterday on the Siemens
ProductCert web page.
Open SSL Update
This update
reports that Siemens now has updates available for all of the affected product
lines. Steady progress made since the vulnerability was reported earlier this
year with regular updates to public
notifications by Siemens.
Certificate
Verification Update
ICS-CERT may not care, but Siemens is
reporting that it has firmware updates available for ROX 2 devices and
continues to work on updates for ROX 1 devices.
GNU Bash Update
Siemens is
reporting that the same ROX 2 firmware upgrade that fixed the certificate
verification vulnerability also addresses their GNU Bash issue. Two
vulnerabilities with a single upgrade, good move. ICS-CERT apparently still
does not know that Siemens is affected by GNU Bash so the update passes
unnoticed.
Posts
No comments:
Post a Comment