Industrial control equipment manufacturer Siemens has produced a security update that mitigates the OpenSSL Heartbleed vulnerability in its eLAN systems and now its WinCC OA supervisory control and data acquisition (SCADA) software as well. The company is continuing to work on patches to resolve the bug in at least three other product-lines.
Like all systems affected by the now-infamous OpenSSL Heartbleed vulnerability, successful exploitation could give an attacker the ability to read sensitive data, including private keys and user credentials, from the process memory.
Affected Siemens products include its eLAN software systems prior to the most recent version, 8.3.3, in which Siemens has mitigated the Heartbleed; its WinCC OA SCADA software, which is affected under all implementations but for which there is now an update available; its S7-1500 V1.5 programmable logic controllers (PLC), which are affected only when HTTPS is active and for which there is no available patch; its CP1543-1 V1.1 industrial Ethernet that is affected when file transfer protocol secure (FTPS) is active and for which there is no patch; and its APE 2.0 products, which are affected when the SSL/TLS component is used in customer implementation, and for which there is also no patch yet available.
“Impact to individual organizations depends on many factors that are unique to each organization,” ICS-CERT warns. “ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.”
Siemens is advising user to apply patches to their eLAN products, which have been available since the middle of the month, and to their WinCC OA SCADA software, which became available late last week.
S7-1500 V1.5 users are advised to sisable the web server, limit web server access to trusted networks only, and remove the certificate from the browser. CP1543-1 V1.1 are being advised to disable FTPS, use FTPS only in trusted network, or use the VPN functionality to tunnel FTPS. APE 2.0 users are advised to update their OpenSSL configurations to 1.0.1g before distributing a solution.
The advisory also notes that a low-skilled attacker could exploit the Heartbleed vulnerability remotely in these products by simply following publicly available exploit tactics.
Siemens is working on fixes for all the un-patched products listed here and will provide updates when the fixes become available.
While not related to Heartbleed, Siemens also fixed a pair of bugs in its SIMATIC S7-1200 CPU family. One which could have enabled cross-site scripting attacks if a user were tricked into following a malicious link and the other could allow attackers to inject HTML headers under the same circumstances.
Other prominent reactions to OpenSSL Heartbleed have come from the Tor Project, who began blacklisting vulnerable exit nodes earlier this month and Oracle, who shipped a set of patches for the bug. Mozilla is launching a special bug bounty program that will let researchers disclose bugs in a crypto library they plan to implement into an upcoming version of their Firefox browser. And a group backed by Google, Microsoft, and a conglomeration of other big tech firms is creating a multi-million dollar fund dedicated to helping support various open source projects that are vital to the Web’s security and stability.
