Siemens says it is working on patches for four critical vulnerabilities in the OpenSSL libraries it uses in a number of its industrial control products, flaws that are being exploited in the wild.
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) cautioned too that critical infrastructure operators managing these process and network control and monitoring devices rely on a number of temporary mitigations until patches are available.
Siemens identified the following products as vulnerable to the current exploits:
- APE versions greater than 2.0.2 (only affected if SSL/TLS component or Crossbow is used),
- CP1543-1: all versions,
- ROX 1: all versions (only affected if Crossbow is installed),
- ROX 2: all versions (only affected if eLAN or Crossbow is installed),
- S7-1500: all versions, and
- WinCC OA (PVSS): version 3.8 – 3.12
These products are used in a number of critical industries, ICS-CERT said, including chemical, manufacturing, energy, food and agriculture and water and wastewater systems.
Siemens said it has already patched the vulnerabilities in APE 2.0.2 and WinCC OA (PVSS). The remaining ROX, S7-1500 and CP1543-1 products are as-yet unpatched.
Attackers exploiting these vulnerabilities may be able to inject code, carry out a man-in-the-middle attack to hijack sessions between users and devices, or crash a control system.
The ROX, APE, S7-1500 and CP1543-1 devices are susceptible to man-in-the-middle attacks where a hacker could inject himself into the traffic stream between an unpatched client and the server to which it’s communicating.
The SIMATIC S7-1500 programmable logic controller and WinCC OA (PVSS) also hold an input validation vulnerability that could allow an attacker to send malicious packets to the device and crash the PLC.
“An attacker with a moderate skill would be able to exploit these vulnerabilities,” ICS-CERT said in its advisory.
Until patches are available for the remaining products, Siemens recommends the following workarounds:
- ROX 1 is affected only if Crossbow is installed, and should be used only in trusted networks
- ROX 2 is affected only if Crossbow or eLAN is installed. Users may update Debian if eLAN is installed on Linux, or use it only in trusted networks
- S7-1500 mitigations involve either disabling the web server or limiting web server access to trusted networks
- CP1543-1 should either be disabled, or operators use VPN functionality to tunnel FTPS/SMPT.
Siemens, like most other vendors, had to recently update its OpenSSL implementations in the wake of the Heartbleed OpenSSL vulnerability. Siemens patched its all of the above products in April, weeks after Heartbleed was disclosed.