Unified Automation Heartbleed Vulnerability

Friday, May 16, 2014 @ 04:05 PM gHale


Unified Automation GmbH discovered its OPC UA Software Development Kits (SDKs) for Windows included vulnerable OpenSSL libraries, according to a report on ICS-CERT.

HTTPS support ends up disabled by default in Unified Automation SDK products, however, if HTTPS does see action, users should replace the OpenSSL library with a current version (1.01.g or later) to mitigate the remotely exploitable vulnerability.

RELATED STORIES
RuggedCom ROX-based Device Vulnerability
Wonderware Patches Heartbleed Hole
CSWorks Fixes SQL Injection Vulnerability
Patches for CENTUM CS 3000 Holes

The following Unified Automation GmbH OPC UA SDK for Windows versions suffer from the issue:
• C++ based OPC UA SDK V1.4.0 (Windows), and
• ANSI C based OPC UA SDK V1.4.0 (Windows).

If HTTPS ends up enabled, then use of OPC UA SDK is vulnerable to OpenSSL Heartbleed vulnerability. A missing bounds check in the handling of the TLS Heartbeat extension can reveal up to 64 kB of memory on a connected device. An attacker who successfully exploits this vulnerability could read data passed to this device to include the user credentials and cryptographic keys.

Unified Automation GmbH is a German-based company with SDKs sold worldwide and a majority of customers in Europe and the United States. SDKs see use in critical manufacturing and energy sectors. The SDKs see use by manufacturers of programmable logic controllers, human-machine interface/supervisory control and data acquisition, data logging and supervisory control systems and some manufacturing execution systems (MES).

The affected products, C++ based OPC UA SDK V1.4.0 (Windows) and ANSI C-based OPC UA SDK V1.4.0, are software development kits for OPC. Unified Automation offers products and services in the field of standardized communication in automation industry.

The C++ UA OPC SDK and ANSI C OPC SDK V1.4.0 use the vulnerable version of OpenSSL 1.0.1f. This affects the use of HTTPS connections, if enabled.

CVE-2014-0160 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.

Exploits that target this vulnerability are publicly available. An attacker with a low skill would be able to
exploit this vulnerability.

Unified Automation recommends the following solutions for customers using the HTTPS functionality:
• Disable HTTPS transport by configuration in the C++ SDK (default)
• Recompile the SDK without HTTPs Support (default)
• Download the current version of OpenSSL from http://www.openssl.org or the personal download area on the Unified Automation web site and recompile the SDK

Click here for more information from Unified Automation.



Leave a Reply

You must be logged in to post a comment.