The Latest in IT Security

Siemens Patching Industrial Products Affected by Heartbleed

29
Apr
2014

Siemens has updates available for two of its products affected by the Heartbleed vulnerability.

So far, Siemens has released updates for its eLANand WinCC OA software.According to the company, the following products are also affected, but have not yet been patched:

S7-1500 V1.5 (affected when HTTPS active)

CP1543-1 V1.1 (affected when FTPS active)

APE 2.0 (affected when SSL/TLS component is used in customer implementation).

“Siemens is working on updates for the affected products and recommends specific countermeasures until fixes are available,” the company said in an advisory April 25.

In an advisory from the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Readiness Team (ICS-CERT), it was noted that a successful exploit of the affected products by an attacker with network access would allow the attacker to read sensitive data such as private keys and user credentials from the process memory.

“Impact to individual organizations depends on many factors that are unique to each organization,” according to the ICS-CERT. “ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.”

Siemens recommends operating all products, except perimeter devices, within only trusted networks. Users of eLAN should upgrade to version 8.3.3, while WinOCC OA users should upgrade to version 3.12-P006. While customers wait for patches for the other products, they have a number of steps they can take to mitigate the threat.

For S7-1500 V1.5:

Disable the web server, or

Limit web server access to trusted networks only

Remove the certificate from the browser

For CP1543-1 V1.1:

Disable FTPS, or

Use FTPS in trusted network, or

Use the VPN functionality to tunnel FTPS

For APE 2.0:

Update OpenSSL to 1.0.1g before distributing a solution. Follow instructions from Ruggedcom to patch APE 2.0

“As a following security measure, Siemens strongly recommends to change passwords and renew certificates after securing the devices (either by patching or by implementing steps mentioned above),” according to the company’s advisory. “Old certificates should be revoked to prevent misuse. Siemens also recommends protecting network access to all products except for perimeter devices such as CP1543-1 with appropriate mechanisms. It is advised to follow recommended security practices and to configure the environment according to operational guidelines in order to run the devices in a protected IT environment.”

Tweet

Brian Prince is a Contributing Writer for SecurityWeek.Previous Columns by Brian Prince:Siemens Patching Industrial Products Affected by Heartbleed Money Launders Look to Online Casinos: ReportFBI Issues Warning to Healthcare Industry on Cyber Security: ReportMozilla Creates $10K Bug Bounty Program for New Certificate Verification Library Bad Bot Percentage of Web Traffic Nearly Doubled in 2013: Report

sponsored links

Tags: NEWS INDUSTRY

Vulnerabilities

Comments are closed.

Categories

WEDNESDAY, JUNE 19, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments

Social Networks