Today the DHS ICS-CERT published an
update for a control system advisory for Wind River VxWorks operating
system that was originally
published in June of last year and updated
once before in November. The update extends the coverage of the
vulnerability to five versions of the VXWorks 653 operating system for
safety-critical applications. Wind River has produced updates for two of the
affected versions that mitigate the TCP predictability vulnerability. The older
versions are no longer supported.
I noted in the original post that ICS-CERT expected that
other vendors that used affected versions of VXWorks would be coming forward
with their own mitigations for this vulnerability as Schneider did with their
Sage RTUs. Now almost 8 months after the original advisory was published, there
have not yet been any other users of the affected versions of VXWorks. Somehow
that just does not seem reasonable. Unfortunately, ICS-CERT has no authority to
compel vendors to disclose operating system versions included in the products.
As has become usual with these advisory updates ICS-CERT
does not mention this update on their landing page. They did, however, announce the
update on TWITTER®.
Posts
No comments:
Post a Comment