OpenSSL Heartbleed Vulnerability in Industrial Control Systems

Number: AL14-026 UPDATE
Date:  16 May 2014

Purpose

The purpose of this Alert is to bring attention to recently released security updates and advisories for various industrial control systems (ICS) products.

Assessment

A vulnerability in OpenSSL can expose private data to a remote, unauthenticated attacker through an incorrect memory handling function in the TLS heartbeat extension. This could allow a remote attacker to expose credentials, secret keys and decrypt secure traffic.

CVE Reference: CVE-2014-0160
CVSS Score: 9.4
Affected versions:

OpenSSL Versions 1.0.1 through 1.0.1f and 1.0.2-beta1

OpenSSL is commonly integrated into devices requiring secure communications. Consequently, systems and devices affected by this vulnerability which are remotely accessible are vulnerable to information leakage potentially leading to credential theft and loss of control.

Be aware that both the client and server sides of the vulnerable versions of OpenSSL can be exploited. 

Affected Products

1) Schneider Electric Wonderware Intelligence:
The latest release  of Wonderware Intelligence is not affected by the OpenSSL vulnerability. However, users may have reinstalled the Tableau Server, a vulnerable third-party component that is affected. The following Tableau products are susceptible to the OpenSSL vulnerability:

  • Tableau Server ver 8.0.6 through 8.0.9
  • ​Tableau Server ver 8.1.0 through 8.1.5

Schneider Electric Wonderware has issued a patch and a security bulletin addressing this vulnerability in all versions.

2) Siemens RuggedCom ROX-based Devices:
The following Siemens RuggedCom ROX-based devices are affected:

  • ROX version 1.16, and
  • ROX version 2.2 through 2.5

3) Unified Automation GmbH:
The following versions of Unified Automation OPC UA SDK for Windows are affected:

  • C++ based OPC UA SDK V1.4.0 (Windows), and
  • ANSI C based OPC UA SDK V1.4.0 (Windows).

Suggested action

CCIRC recommends that owner/operators test and deploy the vendor released updates or workarounds to affected platforms accordingly.

A Windows operating system version of OpenSSL is also available and may be integrated into specialized devices or appliances. We recommend you consult the vendor/manufacturer.

References:

1) Schneider Electric Wonderware Intelligence
http://ics-cert.us-cert.gov/advisories/ICSA-14-135-02
https://wdn.wonderware.com/sites/WDN/Pages/Security%20Central/CyberSecurityUpdates.aspx
(user registration required to access this site)

2) Siemens RuggedCom ROX-based Devices
http://ics-cert.us-cert.gov/advisories/ICSA-14-135-03
http://www.siemens.com/cert/advisories

3) Unified Automation GmbH
http://ics-cert.us-cert.gov/advisories/ICSA-14-135-04
http://www.unified-automation.com/news/news-details/article/1139-heartbleed-bug-in-openssl.html

4) Advisory (ICSA-14-135-05) - OpenSSL Vulnerability
http://ics-cert.us-cert.gov/advisories/ICSA-14-135-05

5) Situational Awareness Alert for OpenSSL Vulnerability (Update E)
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-099-01E

Number: AL14-026
Date: 24 April 2014

Purpose

The purpose of this Alert is to bring attention to recently released security updates and advisories for various industrial control systems (ICS) products.

Assessment

A vulnerability in OpenSSL can expose private data to a remote, unauthenticated attacker through an incorrect memory handling function in the TLS heartbeat extension. This could allow a remote attacker to expose credentials, secret keys and decrypt secure traffic.

CVE Reference: CVE-2014-0160
CVSS Score: 9.4
Affected versions: OpenSSL versions 1.0.1 through 1.0.1f

OpenSSL is commonly integrated into devices requiring secure communications. Consequently, systems and devices affected by this vulnerability which are remotely accessible are vulnerable to information leakage potentially leading to credential theft and loss of control.

Be aware that both the client and server sides of the vulnerable versions of OpenSSL can be exploited.

Affected Products
Innominate is a manufacturer of network security devices designed for use in industrial environments. mGuard is a cellular security router for GPRS, UMTS and CDMA networks.

Affected Siemens SCADA and PLC products:

CERTEC specialises in process control tehnologies. Atvise is a web techonology based human machine interface (HMI) used to access SCADA systems.

Suggested action

CCIRC recommends that owner/operators test and deploy the vendor released updates or workarounds to affected platforms accordingly.

A Windows operating system version of OpenSSL is also available and may be integrated into specialized devices or appliances. We recommend you consult the vendor/manufacturer.

References:

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: