17 April 2014
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0054 A vulnerability has been identified in several Siemens industrial products 17 April 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Siemens eLAN-8.2 Siemens WinCC OA Siemens S7-1500 Siemens CP1543-1 Siemens APE Operating System: Network Appliance Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0160 Member content until: Saturday, May 17 2014 OVERVIEW A vulnerability has been identified in several Siemens industrial products. Siemens lists the following as affected products : - eLAN-8.2 eLAN < 8.3.3 (affected when RIP is used - update available) - WinCC OA only V3.12 (always affected) - S7-1500 V1.5 (affected when HTTPS active) - CP1543-1 V1.1 (affected when FTPS active) - APE 2.0 (affected when SSL/TLS component is used in customer implementation) IMPACT The vendor has provided the following details regarding this vulnerability: 'The "Heartbleed" vulnerability in the OpenSSL cryptographic software library (CVE-2014-0160) affects several Siemens industrial products. Siemens is working on updates for the affected products and recommends specific countermeasures until fixes are available. Siemens already provides an update for one of the products which fixes this vulnerability.'  MITIGATION It is recommended that administrators update the firmware on affected devices to correct this issue. For products with no updates available yet, Siemens "recommends operating all products except perimeter devices only within trusted networks".  REFERENCES  SSA-635659: Heartbleed Vulnerability in Siemens Industrial Products http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-635659.pdf AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU08zuxLndAQH1ShLAQIAzg//UJZOkVw+N5a2+jW4VBJ2yuXJT1eWoZai buMitO90WRxphG+AvtW23xEfORnY2maIiB9JP2c/Xz27OkwYlZoyztmwcSWCON6S MMJM8/zRaFDHbqRjW0lkduwissr+F69u9dP/lhl9Emb8UsF1Uxn4mOAYvba6UHmk ffAlAojxBCm5HGIjS3kfdv/VniO7IqyOUWw6mBwWZJkeUomYUXVb42274oq+Au0J lqZ07on4PPQ0VPtIdbzJ8+Fnh8cRO+zLb3wpZmxpXvQmcpp7wWoPITq2KaZxrOQN gUXFvrWDsCcxTT18HnVzQqbV+cudjmitLtQiw80FnmHTS5w+XZZpBkmN0pLy2qSM 4VhgXg1UezMeYlSi9s40dN8FGQO98NpSmYWhdSFNY0hjEkffyfLq+D0UV+vJMMxf QpFPiUAum9Qcub+4F87dVi+vhcH41HVVnthGmWU1/k3/hoByzl2KWE2SllXBxwDa 5q4Q95OgEqtJrwNEBGsecunZeyESCAoADmDDmV6vfK+eX/7Olbo9EuZwWZ9nrQS5 uNkmjJR3/A3jR/FpdVfNNk6Vcvujh+SVjO6NFFTU3IL1diGXJvLgjix/W/ij38to LfIc6BZRAST/AR2AdwVlIys6dQk2CDLmIimIGJu/15l1c1wDmsdLJyTMwzhWnW06 2QT3B36sfWc= =radz -----END PGP SIGNATURE-----