Critical Infrastructure Companies Continue to Patch Heartbleed

Author: Brian Donohue
minute read
critical infrastructure security

Industrial control systems manufacturers are continuing to discover and provide fixes for the OpenSSL Heartbleed vulnerability.

Unified Automation issued a security advisory warning that its OPC UA software developers kit (SDK) for Windows contains the OpenSSL cryptography library that is vulnerable to Heartbleed. Schneider Electric, another industrial control system (ICS) manufacturer, posted its own advisory with mitigation information for the same bug, which can be introduced by a third party component in its Wonderware Intelligence Security application.

Heartbleed was disclosed on April 7; the vulnerability is a missing bounds check in the OpenSSL TLS Heartbeat extension that exposes 64 KB of memory with each response. Replaying the attack can eventually leak credentials, and some researchers have managed to grab private encryption keys.

Unified Automation isn’t actually fixing anything here. In fact, the maker of industrial control and SCADA systems is merely noting that its Windows OPC UA SDK – under certain circumstances – can be vulnerable to the bug. By default, its C++ and ANSI-based developers kits do not have HTTPS implemented.

However, these kits do contain the vulnerable OpenSSL encryption library if HTTPS is enabled. For users deploying HTTPS, United Automation recommends they replace the vulnerable OpenSSL library with a current version (1.01.g or later) in order to mitigate this problem.

Schneider Electric on the other hand has worked with a third party to ship a fix for the Heartbleed vulnerability in its Wonderware Intelligence systems. While the most current version of those systems is not vulnerable and has already been fixed, the company explains in an advisory that a number of users – after applying a recent update – have reinstalled a third-party component known as Tableau Server. That component is vulnerable to OpenSSL’s Heartbleed flaw.

Therefore, Schneider Electric and the makers of Tableau Server have worked together to mitigate the bug in their components. Operators running Tableau Server versions 8.0.6 through 8.0.9 and 8.1.0 through 8.1.5 will need to implement these patches in order to resolve the potentially serious bug.

Digi and Siemens have implemented similar patches to remedy Heartbleed in their ICS equipment in recent weeks.

You can find Unified Automation’s advisory here and Schneider Electric’s here.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.