Siemens created an update that mitigates its Heartbleed vulnerability the company reported to ICS-CERT. Siemens also created a security advisory.
The remotely exploitable vulnerability first came to light via Joel Langill of Infrastructure Defense Security Services who discovered and reported the issue to ICS-CERT and Siemens affecting the S7-1500.
Exploits that target the OpenSSL Heartbleed vulnerability are publicly available.
The following Siemens products suffer from the issue:
• eLAN-8.2 eLAN prior to 8.3.3 (affected when RIP is in action — update available)
• WinCC OA only V3.12 (always affected — update available)
• S7-1500 V1.5 (affected when HTTPS active — update available)
• CP1543-1 V1.1 (affected when FTPS active — update available)
• APE 2.0 (affected when SSL/TLS component is in use in customer implementation — update available)
A successful “Heartbleed” exploit of the affected products by an attacker with network access could allow attackers to read sensitive data (to include private keys and user credentials) from the process memory.
Siemens is a multinational company headquartered in Munich, Germany.
The affected Siemens industrial products are for process and network control and monitoring in critical infrastructure sectors such as chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems.
The Heartbleed vulnerability could allow attackers to read unallocated memory of OpenSSL running processes. This could reveal secrets like transmitted data, passwords, or private keys.
CVE-2014-0160 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.
An attacker with a low skill would be able to exploit this vulnerability.
The attacker must have network access to the affected devices to exploit this vulnerability. Siemens recommends operating all products except perimeter devices only within trusted networks.
Siemens provides updates for the following products:
• eLAN-8.2. To obtain the update to Version 8.3.3, submit a support request online.
• WinCC OA V3.12. Click here for the update for WinCC OA 3.12 (login required).
• CP-1543-1 V1.1. Click here for the update to CP-1543 V1.1.
• APE 2.0. Click here for the update to APE.
• S7-1500 V1.5. Click here for the update to S7-1500.
• S7-1500 V1.5. Click here for the update to S7-1500 Failsafe V1.5.
Siemens provides specific advice for mitigating risk in each of the affected products in SSA 635659, which is on their web site.
Langill suggests if a user does not need HTTPS he or she should disable it until a patch is available and applied to the vulnerable product/service.