Siemens Patching Industrial Products Affected by Heartbleed

Siemens has updates available for two of its products affected by the Heartbleed vulnerability.

So far, Siemens has released updates for its eLAN and WinCC OA software. According to the company, the following products are also affected, but have not yet been patched:

• S7-1500 V1.5 (affected when HTTPS active)
• CP1543-1 V1.1 (affected when FTPS active)
• APE 2.0 (affected when SSL/TLS component is used in customer implementation).

“Siemens is working on updates for the affected products and recommends specific countermeasures until fixes are available,” the company said in an advisory April 25.

In an advisory from the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Readiness Team (ICS-CERT), it was noted that a successful exploit of the affected products by an attacker with network access would allow the attacker to read sensitive data such as private keys and user credentials from the process memory.

“Impact to individual organizations depends on many factors that are unique to each organization,” according to the ICS-CERT. “ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.”

Siemens recommends operating all products, except perimeter devices, within only trusted networks. Users of eLAN should upgrade to version 8.3.3, while WinOCC OA users should upgrade to version 3.12-P006. While customers wait for patches for the other products, they have a number of steps they can take to mitigate the threat.

For S7-1500 V1.5:

• Disable the web server, or
• Limit web server access to trusted networks only
• Remove the certificate from the browser

For CP1543-1 V1.1:

• Disable FTPS, or
• Use FTPS in trusted network, or
• Use the VPN functionality to tunnel FTPS

For APE 2.0:

• Update OpenSSL to 1.0.1g before distributing a solution. Follow instructions from Ruggedcom  to patch APE 2.0

“As a following security measure, Siemens strongly recommends to change passwords and renew certificates after securing the devices (either by patching or by implementing steps mentioned above),” according to the company’s advisory. “Old certificates should be revoked to prevent misuse. Siemens also recommends protecting network access to all products except for perimeter devices such as CP1543-1 with appropriate mechanisms. It is advised to follow recommended security practices and to configure the environment according to operational guidelines in order to run the devices in a protected IT environment.”