Wireless Web mesh gateways used everywhere from industrial control environments to home area networks are vulnerable to the Heartbleed OpenSSL vulnerability.
The Industrial Control System Computer Emergency Response Team (ICS-CERT) issued an advisory Thursday warning SCADA and ICS managers with Digi International products in their environments that various networking gear from the vendor is vulnerable to Heartbleed.
Five different Digi products are susceptible to the bug in OpenSSL that turned the Internet upside down a month ago. The vulnerability is a missing bounds check in the TLS Heartbeat extension that exposes 64 KB of memory with each response. Replaying the attack can eventually leak credentials, and some researchers have managed to grab private encryption keys.
Digi ConnectPort LTS, ConnectPort X2e, Digi Embedded Linux 5.9, Digi Embedded Yocto 1.4, and Wireless Vehicle Bus Adapter (WVA) are affected, ICS-CERT said. Digi, meanwhile, has patched the vulnerability and firmware upgrade versions are available for download.
Adam Crain, researcher and owner of ICS and SCADA testing tool developer Automatak, said Digi products, ConnectPort in particular, are being used in many different types of control environments. ConnectPort, for example, can be used to map a port on the gateway to a mesh wireless endpoint, he said.
“For instance, if you wanted to connect your PC to your Zigbee fridge, you could use one of these gateways as a router. Zigbee has big applications for home networking (think smart meters / HAN environment), but it probably is also being used for cheap sensor networks in industrial environments,” Crain said. “For instance, in a past life, I used this exact router to connect solar trackers to a monitoring system.”
Digi said the vulnerable products are used in a number of critical industries, including energy, transportation, manufacturing, communications and others. A search for Digi Connect on the SHODAN search engine returned 2,436 results.
“Yes, that’s 2463 Digi Connect routers that are almost all likely unpatched,” Crain said.
Heartbleed exploits have been available since Day 1 when the vulnerability was made public April 7. Researchers were able to extract all manner of sensitive data from the memory leaks afforded by the flaw. Soon enough, vendor CloudFlare established a challenge to the security researcher community to extract private keys using Heartbleed from a purpose-built server.
Within hours, the server had been cracked and keys extracted, adding a new layer of risk to the hundreds of thousands of vulnerable servers. While researchers have concentrated primarily on hacking web servers and even VPN connections using Heartbleed, industrial control systems and SCADA gear are not immune. The same exploits work, and the same difficulty in detecting Heartbleed attacks exists.
“Any Heartbleed exploit could potentially work,” Crian said. “If there’s a turn-key exploit out there to scan the target’s memory for private RSA keys (which there is), there’s no reason you couldn’t use it on the affected Digi gear.”