Siemens created an update and Security Advisory that mitigates the OpenSSL vulnerability known as Heartbleed in eLAN and WinCC OA and is currently working on updates for the other affected products, according to a report on ICS-CERT.
This remotely exploitable vulnerability, discovered by Joel Langill of Infrastructure Defense Security Services, has publicly available exploits that target the OpenSSL Heartbleed vulnerability.
The following Siemens products suffer from the issue:
• eLAN-8.2 eLAN prior to 8.3.3 (affected when RIP is used—update available)
• WinCC OA only V3.12 (always affected—update available)
• S7-1500 V1.5 (affected when HTTPS active)
• CP1543-1 V1.1 (affected when FTPS active)
• APE 2.0 (affected when SSL/TLS component is used in customer implementation)
A successful Heartbleed exploit of the affected products by an attacker with network access could allow attackers to read sensitive data (to include private keys and user credentials) from the process memory.
Siemens is a multinational company headquartered in Munich, Germany. The affected Siemens industrial products are for process and network control and monitoring in critical infrastructure sectors such as chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems.
The Heartbleed vulnerability could allow attackers to read unallocated memory of OpenSSL running processes. This could reveal secrets like transmitted data, passwords, or private keys.
CVE-2014-0160 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.
An attacker with a low skill would be able to exploit this vulnerability.
The attacker must have network access to the affected devices to exploit this vulnerability. Siemens recommends operating all products except perimeter devices only within trusted networks.
Siemens provides updates for the following products:
• eLAN-8.2: update to Version 8.3.3
• WinCC OA V3.12: update to Version 3.12-P006
Siemens is preparing updates for the other affected products that will fix the vulnerability. Siemens will provide information when the new releases are available.
Siemens provides specific advice for mitigating risk in each of the affected products in SSA 635659.
Langill said if the user does not need HTTPS then he or she should disable it until a patch is available and applied to the vulnerable product/service.