Siemens has released an update for some of its ICS products that are affected but the glibc Ghost vulnerability that was disclosed in January.
The vulnerability affected both the Siemens Sinumerik and Simatic HMI Basic applications, which are used in a variety of industrial situations.
“The affected products, SINUMERIK, SIMATIC HMI Basic, and Ruggedcom, are used as an interface between operators and corresponding systems, as well as the ability to run third-party components. These products are deployed across several sectors including: Chemical, Energy, Food and Agriculture, and Water and Wastewater Systems,” the ICS-CERT advisory about the bug says.
“In order to exploit the SINUMERIK and SIMATIC HMI Basic products, an attacker would first need to have authenticated local access to the device(s). To exploit the Ruggedcom APE product an attacker would need to be able to influence parameters passed to the vulnerable functions. This is only possible if the user has installed components that utilize the vulnerable functions and that are accessible to the attacker.”
Siemens first issued an advisory about the Ghost vulnerability affecting its products in March, and at the time only provided patches for the Sinumerik and Ruggedcom APE products. The Simatic HMI products were still vulnerable, until the release of the latest update. Now the Simatic HMI Basic Panels 2nd generation also is protected.
The Ghost vulnerability is a serious flaw in the GNU C library that affects all Linux systems and can give an attacker the ability to run arbitrary code. Discovered in January, it was the latest in the long line of major vulnerabilities with broad reach across the Internet, following Heartbleed, Shellshock and others.