There is a public report of a vulnerability with proof-of-concept (PoC) exploit code that could expose private SSL keys used in the OpenSSL implementation of secure communication, according to a report in ICS-CERT.
The vulnerability in OpenSSL Versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the transport layer security/datagram transport layer security (TLS/DTLS) heartbeat functionality that could disclose private/encrypted information to an attacker, the report said.
This vulnerability is called “heartbleed.” This vulnerability discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security ended up reported to the National Cyber Security Centre Finland (NCSC-FI) for vulnerability coordination and reporting to the OpenSSL team.
ICS-CERT issued an alert as an early notice of the report and identify baseline mitigations for reducing risks to this and other cybersecurity attacks.
For details, click on this US-CERT Vulnerability Note.
Click here for the heartbleed public report.
As OpenSSL may see use as a third-party component, asset owners, operators, and SCADA software developers should investigate the use of the affected versions of OpenSSL in their environments.
OpenSSL Version 1.0.1g has addressed and mitigated this vulnerability. Please contact your software vendor to check for availability of updates.