Wonderware patched an OpenSSL Heartbleed vulnerability in the Wonderware Intelligence application, caused by a third-party component, according to a report on ICS-CERT.
Exploits that target this remotely exploitable vulnerability are publicly available.
The latest release of Schneider Electric Wonderware Intelligence Version 1.5 SP1 is not susceptible to the OpenSSL vulnerability. However, users have reinstalled Tableau Server, the vulnerable third-party component. Therefore, Wonderware now controlled by Schneider Electric, issued a patch and a security bulletin addressing this vulnerability in all versions.
Tableau is the third-party component vendor whose product is vulnerable to the OpenSSL Heartbleed bug. The following Tableau products susceptible to the OpenSSL vulnerability used in the Schneider Electric Wonderware Intelligence product are:
• Tableau Server ver 8.0.6 through 8.0.9
• Tableau Server ver 8.1.0 through 8.1.5.
A missing bounds check in the handling of the TLS Heartbeat extension can reveal up to 64kB of memory on a connected device. An attacker who successfully exploits this vulnerability may obtain the user credentials and cryptographic keys used to access the device.
Paris, France-based Schneider Electric maintains offices in more than 100 countries worldwide.
Schneider Electric Wonderware Intelligence is a real-time operations management software distributed by Schneider Electric. Schneider Electric provides automation and information technologies and systems.
Wonderware Intelligence sees global use across several sectors including critical manufacturing, energy, healthcare and public health, and water and wastewater systems.
The Heartbleed bug could allow attackers to read unallocated memory of OpenSSL running processes. This could reveal data like transmitted data, passwords, or private keys. The attacker must have network access to the affected devices to exploit this vulnerability.
CVE-2014-0160 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.
Exploits that target this vulnerability are publicly available. An attacker with a low skill would be able to exploit this vulnerability.
Wonderware issued Security Advisory “Tableau OpenSSL Vulnerability (LFSEC00000098),” available at (user registration required).
Tableau released several firmware update fixes for the OpenSSL vulnerability. Wonderware has incorporated and successfully tested Wonderware Intelligence Security patch LFSec00000098 (registration required). Tableau has released maintenance Versions 8.1.6 and 8.0.10 on its primary and alternate download sites.
Click here for the Tableau primary customer download site (User registration required).
The Tableau alternate download site, where Version 8.1.6 for Desktop and Server (4/10/2014) is available.
Wonderware recommends users who have enabled SSL using Tableau Server Versions 8.0.6 through 8.0.9 or 8.1.0 through 8.1.5 should apply the security update to all nodes. The process consists of uninstalling the Dashboard Server and installing the new version. The server configuration and published dashboards will end up preserved during the installation of the new version.
Any certificates used to configure the SSL communications end up revoked, new certificates re acquired, and used after patching the vulnerability.
After applying the update, users should also change any passwords used for accessing the server.