Siemens Heads Off OpenSSL Holes

Monday, July 21, 2014 @ 06:07 PM gHale


Siemens found four vulnerabilities in its OpenSSL cryptographic software library affecting several of its industrial products, according to a report on ICS-CERT.

Updates are available for APE 2.0.2 and WinCC OA (PVSS). The ROX 1, ROX 2, S7-1500, and CP1543-1 products do not have a patch yet, but the company made mitigation recommendations.

RELATED STORIES
Cogent Updates DataHub Hole
Advantech Fixes WebAccess Vulnerabilities
ABB Mitigates OpenSSL Hole
Yokogawa Fixes Buffer Overflow

These vulnerabilities are remotely exploitable. Exploits that target OpenSSL vulnerabilities are publicly available.

The following Siemens products suffer from the issue:
• APE versions prior to Version 2.0.2 (only affected if SSL/TLS component or Crossbow ends up used)
• CP1543-1: all versions
• ROX 1: all versions (only affected if Crossbow installed)
• ROX 2: all versions (only affected if eLAN or Crossbow ends up installed)
• S7-1500: all versions
• WinCC OA (PVSS): Version 3.8 – 3.12

The vulnerabilities identified could impact authenticity, integrity, and availability of affected devices. The man-in-the-middle attack could allow an attacker to hijack a session between an authorized user and the device. The other vulnerabilities reported could impact the availability of the device by causing the web server of the product to crash.

Siemens is a multinational company headquartered in Munich, Germany. Siemens develops products mainly in the energy, healthcare and public health sectors, and transportation systems.

The affected Siemens industrial products are for process and network control and monitoring in critical infrastructure sectors such as chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems.

An attacker could perform a man-in-the-middle (MitM) attack between a vulnerable client and a vulnerable server. This vulnerability affects ROX, APE, S7-1500, and CP1543-1. CVE-2014-0224 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.8.

Specially crafted packets may crash the web server of the product. This vulnerability affects the SIMATIC S7-1500. CVE-2014-0198 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

Specially crafted packets may crash the web server of the product. This vulnerability affects the SIMATIC S7-1500. CVE-2010-5298 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.0.

Specially crafted packets may crash the web server of the product. This vulnerability affects the WinCC OA (PVSS). CVE-2014-3470 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

An attacker with a moderate skill would be able to exploit these vulnerabilities.

Siemens provides updates for the following products:
APE 2.0.2

WinCC OA (PVSS) available at the Siemens ETM portal.

Siemens is preparing updates for the other affected products that will fix these vulnerabilities. Siemens will provide information and update their advisory when the new releases are available. In the meantime, customers should mitigate the risk of their products by implementing the following steps:

ROX 1: all versions (only affected if Crossbow installed)
• Use only in trusted networks

ROX 2: all versions (only affected if eLAN or Crossbow installed)
• Follow the Application Note if eLAN is installed on APE

Update Debian using the standard update procedures if eLAN is installed on Linux system
• Use only in trusted networks
• S7-1500: all versions
• Disable the web server
• Limit web server access to trusted networks only

CP1543-1: all versions for FTPS and SMTP:
• Disable
• Use the VPN functionality to tunnel FTPS/SMTP
• Use only in trusted networks

Siemens also recommends protecting network access to all products except for perimeter devices such as CP1543-1 with appropriate mechanisms.

Siemens provides specific advice for mitigating risk in each of the affected products in SSA 234763, which can be found at its web site.



Leave a Reply

You must be logged in to post a comment.