By Gregory Hale
As a result of the Heartbleed vulnerability hitting the industry, Siemens is coming out with a fix on one product and work arounds on others for the vulnerability in the OpenSSL cryptographic software library, according to a Siemens Security Advisory by Siemens ProductCERT
While Siemens already has a fix for one of the products, it is working on updates for the others and recommends specific countermeasures until fixes are available. Joel Langill with Infrastructure Defense Security Services provided a coordinated disclosure with Siemens.
Products affected by the issue include:
• eLAN-8.2 eLAN < 8.3.3 (affected when RIP is used - update available) • WinCC OA only V3.12 (always affected) • S7-1500 V1.5 (affected when HTTPS active) • CP1543-1 V1.1 (affected when FTPS active) • APE 2.0 (affected when SSL/TLS component is used in customer implementation) The vulnerability in OpenSSL Versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the transport layer security/datagram transport layer security (TLS/DTLS) heartbeat functionality that could disclose private/encrypted information to an attacker. This vulnerability, called “Heartbleed” ended up discovered by a team of security engineers at Codenomicon and Neel Mehta of Google Security, who reported this vulnerability to the National Cyber Security Centre Finland (NCSC-FI) for vulnerability coordination and reporting to the OpenSSL team. The Heartbleed issue, labeled CVE-2014-0160, could allow attackers to read process memory of running OpenSSL processes. This could reveal secrets, like transmitted data, passwords or private keys. Siemens ranked the overall CVSS score at 4.8. The affected products could allow attackers to read sensitive data (this includes private keys and user credentials) from the process memory if the attackers have network access to the affected devices. The attacker must have network access to the affected devices. Siemens recommended operating all products except perimeter devices only within trusted networks. Siemens created version 8.3.3 as an update for eLAN-8.2. As far as the other products go, Siemens is preparing updates that will fix the vulnerability. Siemens will provide information and update this advisory when the new releases are available. In the meantime, customers should mitigate the risk of their products by implementing the following steps: WinCC OA V3.12:
• Use VPN for protecting SSL traffic
• Use WinCC OA in a trusted network
• Disable the web server, or
• Limit web server access to trusted networks only
• Remove the certificate from the browser
• Disable FTPS, or
• Use FTPS in trusted network, or
• Use the VPN functionality to tunnel FTPS
• Update OpenSSL to 1.0.1g before distributing a solution. Follow instructions from Ruggedcom to patch APE 2.0
As an additional security measure, Siemens recommended users change passwords and renew certificates after securing the devices (either by patching or by implementing steps mentioned above). Old certificates should end up revoked to prevent misuse.
Siemens also recommended protecting network access to all products except for perimeter devices such as CP1543-1 with appropriate mechanisms. It is advised to follow recommended security practices and to configure the environment according to operational guidelines in order to run the devices in a protected IT environment.