Updates are now available after Siemens discovered four vulnerabilities in its OpenSSL cryptographic software library affecting several Siemens industrial products, according to a report on ICS-CERT.
Updates are available for APE 2.0.2, S7-1500, WinCC OA (PVSS) and CP1543-1. The ROX 1, ROX 2, products do not have a patch at this time, however, Siemens made mitigation recommendations.
These remotely exploitable vulnerabilities target OpenSSL vulnerabilities and are publicly available. ICS-CERT is unaware of any OpenSSL exploits that target Siemens’ products specifically.
The following Siemens suffer from the issue:
• APE versions prior to Version 2.0.2 (only affected if SSL/TLS component or Crossbow used)
• CP1543-1: prior to Version 1.1.25
• ROX 1: all versions (only affected if Crossbow installed)
• ROX 2: all versions (only affected if eLAN or Crossbow installed)
• S7-1500: versions prior to Version 1.6
• WinCC OA (PVSS): Version 3.8 – 3.12
The vulnerabilities identified could impact authenticity, integrity, and availability of affected devices. The man-in-the-middle attack could allow an attacker to hijack a session between an authorized user and the device. The other vulnerabilities reported could impact the availability of the device by causing the web server of the product to crash.
Siemens is a multinational company headquartered in Munich, Germany. Siemens develops products mainly in the energy, healthcare and public health sectors, and transportation systems.
The affected Siemens industrial products are for process and network control and monitoring in critical infrastructure sectors such as chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems.
An attacker could perform a man-in-the-middle (MitM) attack between a vulnerable client and a vulnerable server. This vulnerability affects ROX, APE, S7-1500, and CP1543-1. CVE-2014-0224 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.8.
In addition, specially crafted packets may crash the web server of the product. This vulnerability affects the SIMATIC S7-1500. CVE-2014-0198 is the case number assigned to this vulnerability, which has a CVSS v2base score of 4.3.
Also, specially crafted packets may crash the web server of the product. This vulnerability affects the SIMATIC S7-1500. CVE-2010-5298 is the case numbers assigned to this vulnerability, which has a CVSS v2 base score of 4.0.
Specially crafted packets may crash the web server of the product. This vulnerability affects the WinCC OA (PVSS). CVE-2014-3470 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.
An attacker with a moderate skill would be able to exploit these vulnerabilities.
Siemens provides updates for the following products:
APE 2.0.2 available
S7-1500: update to Version 1.6
WinCC OA (PVSS) available at the Siemens ETM portal
CP1543-1 update to Version V1.1.25
Siemens is preparing updates for the other affected products that will fix these vulnerabilities. Siemens will provide information and update their advisory (SSA 234763) when the new releases are available. In the meantime, customers should mitigate the risk of their products by implementing the following steps:
ROX 1: all versions (only affected if Crossbow installed)
• Use only in trusted networks
ROX 2: all versions (only affected if eLAN or Crossbow installed)
• Follow the Application Note if eLAN is installed on APE
• Update Debian using the standard update procedures if eLAN is installed on Linux system
• Use only in trusted networks
Siemens also recommends protecting network access to all products except for perimeter devices such as CP1543-1 with appropriate mechanisms. It is advised to follow recommended security practices and to configure the environment according to operational guidelines in order to run the devices in a protected IT environment.
Siemens provides specific advice for mitigating risk in each of the affected products in SSA 234763, which can be found at its web site.