Today the DHS ICS-CERT published three advisories
for vulnerabilities in industrial control systems applications from Siemens,
Progea Movicon, and Innominate. Two of those (the first and last) are related
to HeartBleed.
Siemens
Advisory
This advisory provides
a list of Siemens products that contain or are affected by the HeartBleed
vulnerability. They currently only provide one updated to mitigate the
vulnerability but do note that they are working on the other product updates.
The unusual move to self-identify vulnerable systems before mitigation measures
are available was almost certainly undertaken because tools to test for the HeartBleed
vulnerability and exploit code for the bug both exist in the wild.
Siemens
reports that the following products are affected:
● eLAN-8.2 eLAN <
8.3.3 (affected when RIP is used - update available)
● WinCC OA only V3.12
(always affected)
● S7-1500 V1.5
(affected when HTTPS active)
● CP1543-1 V1.1
(affected when FTPS active)
● APE 2.0 (affected
when SSL/TLS component is used in customer implementation)
Siemens has an update available for eLAN (v 8.3.3)
and recommends the following interim mitigation measures for the other products
until the appropriate update is published:
● WinCC OA V3.12:
o Use VPN for
protecting SSL traffic
o Use WinCC OA in a
trusted network
● S7-1500 V1.5:
o Disable the web
server, or
o Limit web server
access to trusted networks only
o Remove the
certificate from the browser
● CP1543-1 V1.1:
o Disable FTPS, or
o Use FTPS in trusted
network, or
o Use the VPN
functionality to tunnel FTPS
● APE 2.0:
o Update OpenSSL to
1.0.1g before distributing a solution. Follow instructions from Ruggedcom [3]
to patch APE 2.0
The VPN recommendations should have come with a
caveat that the VPN should have its HeartBleed status investigated before it is
used to protect a control system remote access.
Progea
Advisory
This advisory is
for an information disclosure vulnerability reported by Celil Ünüver of SignalSEC
Ltd in a coordinated disclosure. Progea has developed an update that ICS-CERT
reports has been checked and validated by Celil.
ICS-CERT reports that a moderately skilled attacker
could remotely execute an attack using this vulnerability to gain access of OS
version information.
Innominate
Advisory
This advisory notes
that Bob Radvanovsky of Infracritical notified ICS-CERT that Innominate has
updated their mGuard product firmware to deal with the HeartBleed vulnerability
included in versions of those devices. The advisory points at the Innominate
advisory published last Friday. Bob also reported
this last Friday on the SCADASec List.
HeartBleed
Reporting
It will be interesting to see how many of these
HeartBleed advisories get published by ICS-CERT. Most of these will end up
being self-reported (even the Innominate advisory was essentially self-reported).
I also doubt that there will be much more information in any of the upcoming
advisories than we have seen in these two today.
It may be easier for ICS-CERT to just set up a
HeartBleed page and updated it when necessary by listing the vendors that have
published firmware or software updates that mitigate the vulnerability. I think
it would be easier and more informative.
Posts
No comments:
Post a Comment