Unified Automation issued a security advisory warning that its OPC UA software developers kit (SDK) for Windows contains the OpenSSL cryptography library that is vulnerable to Heartbleed. Schneider Electric, another industrial control system (ICS) manufacturer, posted its own advisory with mitigation information for the same bug, which can be introduced by a third party component in its Wonderware Intelligence Security application.
Heartbleed was disclosed on April 7; the vulnerability is a missing bounds check in the OpenSSL TLS Heartbeat extension that exposes 64 KB of memory with each response. Replaying the attack can eventually leak credentials, and some researchers have managed to grab private encryption keys.
Unified Automation isn’t actually fixing anything here. In fact, the maker of industrial control and SCADA systems is merely noting that its Windows OPC UA SDK – under certain circumstances – can be vulnerable to the bug. By default, its C++ and ANSI-based developers kits do not have HTTPS implemented.
However, these kits do contain the vulnerable OpenSSL encryption library if HTTPS is enabled. For users deploying HTTPS, United Automation recommends they replace the vulnerable OpenSSL library with a current version (1.01.g or later) in order to mitigate this problem.
Schneider Electric on the other hand has worked with a third party to ship a fix for the Heartbleed vulnerability in its Wonderware Intelligence systems. While the most current version of those systems is not vulnerable and has already been fixed, the company explains in an advisory that a number of users – after applying a recent update – have reinstalled a third-party component known as Tableau Server. That component is vulnerable to OpenSSL’s Heartbleed flaw.
Therefore, Schneider Electric and the makers of Tableau Server have worked together to mitigate the bug in their components. Operators running Tableau Server versions 8.0.6 through 8.0.9 and 8.1.0 through 8.1.5 will need to implement these patches in order to resolve the potentially serious bug.
Digi and Siemens have implemented similar patches to remedy Heartbleed in their ICS equipment in recent weeks.
You can find Unified Automation’s advisory here and Schneider Electric’s here.