Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2014.0054
A vulnerability has been identified in several Siemens industrial products
17 April 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens eLAN-8.2
Siemens WinCC OA
Siemens S7-1500
Siemens CP1543-1
Siemens APE
Operating System: Network Appliance
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-0160
Member content until: Saturday, May 17 2014
OVERVIEW
A vulnerability has been identified in several Siemens industrial
products.
Siemens lists the following as affected products [1]:
- eLAN-8.2 eLAN < 8.3.3 (affected when RIP is used - update available)
- WinCC OA only V3.12 (always affected)
- S7-1500 V1.5 (affected when HTTPS active)
- CP1543-1 V1.1 (affected when FTPS active)
- APE 2.0 (affected when SSL/TLS component is used in customer
implementation)
IMPACT
The vendor has provided the following details regarding this
vulnerability:
'The "Heartbleed" vulnerability in the OpenSSL cryptographic software
library (CVE-2014-0160) affects several Siemens industrial products.
Siemens is working on updates for the affected products and recommends
specific countermeasures until fixes are available.
Siemens already provides an update for one of the products which fixes
this vulnerability.' [1]
MITIGATION
It is recommended that administrators update the firmware on affected
devices to correct this issue. For products with no updates available
yet, Siemens "recommends operating all products except perimeter devices
only within trusted networks". [1]
REFERENCES
[1] SSA-635659: Heartbleed Vulnerability in Siemens Industrial Products
http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-635659.pdf
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU08zuxLndAQH1ShLAQIAzg//UJZOkVw+N5a2+jW4VBJ2yuXJT1eWoZai
buMitO90WRxphG+AvtW23xEfORnY2maIiB9JP2c/Xz27OkwYlZoyztmwcSWCON6S
MMJM8/zRaFDHbqRjW0lkduwissr+F69u9dP/lhl9Emb8UsF1Uxn4mOAYvba6UHmk
ffAlAojxBCm5HGIjS3kfdv/VniO7IqyOUWw6mBwWZJkeUomYUXVb42274oq+Au0J
lqZ07on4PPQ0VPtIdbzJ8+Fnh8cRO+zLb3wpZmxpXvQmcpp7wWoPITq2KaZxrOQN
gUXFvrWDsCcxTT18HnVzQqbV+cudjmitLtQiw80FnmHTS5w+XZZpBkmN0pLy2qSM
4VhgXg1UezMeYlSi9s40dN8FGQO98NpSmYWhdSFNY0hjEkffyfLq+D0UV+vJMMxf
QpFPiUAum9Qcub+4F87dVi+vhcH41HVVnthGmWU1/k3/hoByzl2KWE2SllXBxwDa
5q4Q95OgEqtJrwNEBGsecunZeyESCAoADmDDmV6vfK+eX/7Olbo9EuZwWZ9nrQS5
uNkmjJR3/A3jR/FpdVfNNk6Vcvujh+SVjO6NFFTU3IL1diGXJvLgjix/W/ij38to
LfIc6BZRAST/AR2AdwVlIys6dQk2CDLmIimIGJu/15l1c1wDmsdLJyTMwzhWnW06
2QT3B36sfWc=
=radz
-----END PGP SIGNATURE-----