The ICS-CERT has issued a security advisory related to the existence of OpenSSL vulnerabilities affecting different Siemens industrial products.
Several Siemens industrial products are affected by four vulnerabilities in their OpenSSL implementation which could be remotely exploited to run a man-in-the-middle (MitM) attack or to cause the crash of web servers of the products.
The US Industrial Control Systems Cyber Emergency Response Team (ISC CERT) last week issued a security advisory (Advisory (ICSA-14-198-03)) in which warns on the availability on the Internet of the exploits that target these OpenSSL vulnerabilities.
“Siemens has identified four vulnerabilities in its OpenSSL cryptographic software library affecting several Siemens industrial products. Updates are available for APE 2.0.2 and WinCC OA (PVSS). The ROX 1, ROX 2, S7-1500, and CP1543-1 products do not have a patch at this time; however, Siemens has made mitigation recommendations. Siemens is continuing to work on patching these vulnerabilities.” states the advisory.
“The affected Siemens industrial products are for process and network control and monitoring in critical infrastructure sectors such as Chemical, Critical Manufacturing, Energy, Food and Agriculture, and Water and Wastewater Systems,” “The vulnerabilities identified could impact authenticity, integrity, and availability of affected devices.”ISC CERT added.
The following six products are affected by the OpenSSL vulnerabilities, but as explained by the ISC CERT, the patches are available only for two of them. Siemens has promptly released a list of recommendations to mitigate the risk of attacks based on the exploitation of the OpenSSL vulnerabilities.
- APE versions prior to Version 2.0.2 (only affected if SSL/TLS component or Crossbow is used),
- CP1543-1: all versions,
- ROX 1: all versions (only affected if Crossbow is installed),
- ROX 2: all versions (only affected if eLAN or Crossbow is installed),
- S7-1500: all versions, and
- WinCC OA (PVSS): Version 3.8 – 3.12
Security updates for patching the holes are available only for APE 2.0.2 and WinCC OA (PVSS).
The man-in-the-middle attack could allow a bad actor to to hijack a session between an authorized user and the device, the flaws are considerable serious due their impact on the availability of the industrial components by causing the web server of the product to crash.
“Impact to individual organizations depends on many factors that are unique to each organization,” “An attacker with a moderate skill would be able to exploit these vulnerabilities,” states the Advisory.
The advisory provides further insights on how to protect industrial systems, for example warning of spear phishing attacks, by suggesting deploying the systems behind firewalls and isolating them from the business network.