Heartbleed is a flaw the OpenSSL implementation of the transport layer security/datagram transport layer security (TLS/DTLS) heartbeat functionality that could disclose private/encrypted information to an attacker.
The affected Siemens industrial products, enumerated in an ICS-CERT advisory, are for process and network control and monitoring in critical infrastructure sectors such as chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems. Remote attackers can read unallocated memory of OpenSSL running processes, to reveal secrets like transmitted data, passwords or private keys.
“The attacker must have network access to the affected devices to exploit this vulnerability,” Siemens said, noting that it’s working on patches for all affected products. “Siemens recommends operating all products except perimeter devices only within trusted networks.”
Innominate, meanwhile, said that its mGuard family of products, which are industrial security routers common in communications, healthcare and public health, and critical manufacturing sectors, are vulnerable – specifically mGuard firmware Versions 8.0.0 and 8.0.1. Although the Phoenix Contact-branded devices that run the software are not likely to be affected, a new firmware version has been released to alleviate concern there. Also, mGuard firmware versions prior to 8.0.0, whether running on Phoenix Contact or other devices brands, are not affected.
“Because of the unpredictable memory layout of HTTPS communication, it is possible that the private key of the mGuard web graphic user interface could be disclosed,” ICS-CERT warned. “An attacker could use this key to impersonate the authenticated user and perform a man-in-the-middle attack.”
Innominate has released the mGuard firmware Version 8.0.2 update to fix the flaw – users should update SSL keys on the affected products after upgrade. The mGuard firmware Version 8.0.2 provides a combined function to replace both the HTTPS and SSH keys.
ICS-CERT said that asset owners should take additional defensive measures to protect against this and other cybersecurity risks, including minimizing network exposure for all control system devices and/or systems, and ensuring that they are not accessible from the internet. Administrators should also locate control system networks and remote devices behind firewalls, and isolate them from the business network. And when remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available.