Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Siemens Industrial Products Affected by OpenSSL Vulnerabilities

Four recently-patched OpenSSL vulnerabilities have been found to affect several industrial products from Siemens.

Four recently-patched OpenSSL vulnerabilities have been found to affect several industrial products from Siemens.

According to advisories published by both Siemens and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the security holes affect APE versions prior to 2.0.2 (only affected if SSL/TLS component or Crossbow is used), versions 3.8 through 3.12 of WinCC OA (PVSS), and all versions of CP1543-1, ROX 1 (only affected if Crossbow is installed), ROX 2 (only affected if eLAN or Crossbow is installed), and SIMATIC S7-1500.

Siemens has already patched the vulnerabilities in APE and WinCC OA (PVSS) and is working on updates for the other affected products.

The OpenSSL flaws that impact these Siemens solutions are the ones patched by the OpenSSL Project at the beginning of June. The security holes, for which exploits are already publicly available, can be exploited remotely by an attacker with moderate skills, ICS-CERT noted in its advisory.

The most serious of the vulnerabilities is the one with the CVE identifier CVE-2014-0224, which can be leveraged for a man-in-the-middle (MitM) attack between vulnerable clients and servers. The flaw affects all of the aforementioned products. Two improper input validation issues, CVE-2014-0198 and CVE-2010-5298, can be exploited by an attacker to crash the Web server in SIMATIC S7-1500 with the aid of specially crafted packets.

The last vulnerability (CVE-2014-3470) is also an improper validation flaw that can lead to a Web server crash, but it affects WinCC OA (PVSS), said Siemens, which has provided mitigation advice for ICS operators.

“The vulnerabilities identified could impact authenticity, integrity, and availability of affected devices. The man-in-the-middle attack could allow an attacker to hijack a session between an authorized user and the device. The other vulnerabilities reported could impact the availability of the device by causing the web server of the product to crash,” ICS-CERT reported. “Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.”

In April and May, Siemens rolled out updates for eLAN, WinCC OA, SIMATIC S7-1500, CP1543-1 and APE to address the Heartbleed bug. In January, the company patched two vulnerabilities affecting switches of the SCALANCE X-200 family, which are used to connect ICS components.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.