“A missing bounds check in the handling of the TLS Heartbeat extension can be used to reveal up to 64kB of memory on a connected device,” ICS-CERT said in an advisory. “Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture and product implementation.”
Digi International is a provider of machine-to-machine (M2M) cloud products and services, using both wired and wireless technologies. The affected products are wireless web/mesh-based SCADA communication systems, which are are deployed across several sectors including commercial facilities, communications, critical manufacturing, energy, transportation systems and others. It has produced downloadable firmware upgrade versions that mitigate the problem, the company said in a notice.
The Heartbleed bug, which may affect nearly two-thirds of websites, threatens to expose masses of usernames, passwords, private keys and other sensitive information worldwide. It’s a mistake written into OpenSSL – a security standard encrypting communications between users and the servers provided by a majority of online services. The mistake makes it viable for hackers to extract data from massive databases containing user names, passwords, private data and so on.
ICS managers should apply the firmware updates and then change certificates and passwords. In addition to minimizing network exposure and taking advantage of firewalls, Digi International is also recommending that administrators disable the web service entirely, because all products vulnerable to the OpenSSL Heartbleed bug can also be accessed via the Device Cloud by Etherios service. Device Cloud is a management platform providing the capability to perform device management functions to installed bases of devices on-demand via the cloud.
“Disabling the HTTPS service and still maintaining manageability on the device can be accomplished in a number of ways,” the company explained. “Manage the device through a command line service like SSH, or use a Device Cloud account to centrally manage all the devices. Further, if HTTPS service is enabled and on a public IP on the Internet, restrict or disable the HTTPS web interface to specific IPs.”