Siemens has updates available for two of its products affected by the Heartbleed vulnerability.
So far, Siemens has released updates for its eLAN and WinCC OA software. According to the company, the following products are also affected, but have not yet been patched:
- S7-1500 V1.5 (affected when HTTPS active)
- CP1543-1 V1.1 (affected when FTPS active)
- APE 2.0 (affected when SSL/TLS component is used in customer implementation).
“Siemens is working on updates for the affected products and recommends specific countermeasures until fixes are available,” the company said in an advisory April 25.
In an advisory from the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Readiness Team (ICS-CERT), it was noted that a successful exploit of the affected products by an attacker with network access would allow the attacker to read sensitive data such as private keys and user credentials from the process memory.
“Impact to individual organizations depends on many factors that are unique to each organization,” according to the ICS-CERT. “ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.”
Siemens recommends operating all products, except perimeter devices, within only trusted networks. Users of eLAN should upgrade to version 8.3.3, while WinOCC OA users should upgrade to version 3.12-P006. While customers wait for patches for the other products, they have a number of steps they can take to mitigate the threat.
For S7-1500 V1.5:
- Disable the web server, or
- Limit web server access to trusted networks only
- Remove the certificate from the browser
For CP1543-1 V1.1:
- Disable FTPS, or
- Use FTPS in trusted network, or
- Use the VPN functionality to tunnel FTPS
For APE 2.0:
- Update OpenSSL to 1.0.1g before distributing a solution. Follow instructions from Ruggedcom to patch APE 2.0
“As a following security measure, Siemens strongly recommends to change passwords and renew certificates after securing the devices (either by patching or by implementing steps mentioned above),” according to the company’s advisory. “Old certificates should be revoked to prevent misuse. Siemens also recommends protecting network access to all products except for perimeter devices such as CP1543-1 with appropriate mechanisms. It is advised to follow recommended security practices and to configure the environment according to operational guidelines in order to run the devices in a protected IT environment.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
