Four recently-patched OpenSSL vulnerabilities have been found to affect several industrial products from Siemens.
According to advisories published by both Siemens and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the security holes affect APE versions prior to 2.0.2 (only affected if SSL/TLS component or Crossbow is used), versions 3.8 through 3.12 of WinCC OA (PVSS), and all versions of CP1543-1, ROX 1 (only affected if Crossbow is installed), ROX 2 (only affected if eLAN or Crossbow is installed), and SIMATIC S7-1500.
Siemens has already patched the vulnerabilities in APE and WinCC OA (PVSS) and is working on updates for the other affected products.
The OpenSSL flaws that impact these Siemens solutions are the ones patched by the OpenSSL Project at the beginning of June. The security holes, for which exploits are already publicly available, can be exploited remotely by an attacker with moderate skills, ICS-CERT noted in its advisory.
The most serious of the vulnerabilities is the one with the CVE identifier CVE-2014-0224, which can be leveraged for a man-in-the-middle (MitM) attack between vulnerable clients and servers. The flaw affects all of the aforementioned products. Two improper input validation issues, CVE-2014-0198 and CVE-2010-5298, can be exploited by an attacker to crash the Web server in SIMATIC S7-1500 with the aid of specially crafted packets.
The last vulnerability (CVE-2014-3470) is also an improper validation flaw that can lead to a Web server crash, but it affects WinCC OA (PVSS), said Siemens, which has provided mitigation advice for ICS operators.
“The vulnerabilities identified could impact authenticity, integrity, and availability of affected devices. The man-in-the-middle attack could allow an attacker to hijack a session between an authorized user and the device. The other vulnerabilities reported could impact the availability of the device by causing the web server of the product to crash,” ICS-CERT reported. “Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.”
In April and May, Siemens rolled out updates for eLAN, WinCC OA, SIMATIC S7-1500, CP1543-1 and APE to address the Heartbleed bug. In January, the company patched two vulnerabilities affecting switches of the SCALANCE X-200 family, which are used to connect ICS components.