Certec Fixes Heartbleed Vulnerability

Friday, April 25, 2014 @ 04:04 PM gHale


Certec released new libraries that mitigate the OpenSSL Heartbleed vulnerability in its atvise scada product, according to a report on ICS-CERT.

This remotely exploitable vulnerability, discovered by Researcher Bob Radvanovsky of Infracritical, leverages the OpenSSL Heartbleed vulnerability. Exploits are out in the public.

RELATED STORIES
Siemens Fixes SINEMA Vulnerabilities
Progea Fixes Movicon SCADA App
Alert: DNP3 Implementation Vulnerability
OSIsoft Mitigates Hole in DNP3 Line

Certec said the vulnerability affects its atvise scada Versions 2.3 and above.

An attacker exploiting the OpenSSL Heartbleed vulnerability may be able to obtain private keys of the target system. The attacker could then use this key to impersonate the authenticated user and perform a man-in-the-middle attack.

Certec EDV GmbH’s headquarters is in Austria. The affected product, atvise, is a web-based human-machine interface supervisory control and data acquisition (HMI/SCADA) system. According to Certec, atvise sees use in every field of industrial automation across the globe.

The atvise scada uses the OpenSSL cryptographic library and transport layer security (TLS) implementation Version 1.0.1, known to be vulnerable to the Heartbleed vulnerability.

CVE-2014-0160 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.

An attacker with a low skill would be able to exploit this vulnerability.

Certec has made the new OpenSSL (1.0.1g) libraries available to fix the Heartbleed bug in atvise. The DLLs and the installation instructions are on their web site.

Click here for Certec’s security update.



Leave a Reply

You must be logged in to post a comment.