This afternoon the DHS ICS-CERT published updates on a Siemens HeartBleed Advisory, an update of their SA Alert on HeartBleed and one new advisory for an Ecava information disclosure vulnerability.
My followers on TWITTER® already heard about the Siemens update last Friday morning when Siemens @ProductCert tweeted about the publication of their updated HeartBleed advisory that included notification that their WinCC product now has an update available to fix the HeartBleed bug in that system.
ICS-CERT published their late update of the HeartBleed advisory that they issued on April 15th. The ICS-CERT Situational Awareness Alert was updated to show the new Siemens status. It also adds two new affected industrial control system notifications, one for ABB (Relion 650 series Ver. 1.3.0) and one for Digi (ConnectPort LTS, ConnectPort X2e, Digi Embedded Linux, and Wireless Vehicle Bus Adapter). Separate advisories are in the works. The links above are for the vendor notices.
The ABB mitigation measures are still under development and the Digi updates may already be available (the document was published on 4-18-14 with an availability date for the fix of 4-21-14). Digi is making the remote update service for remote devices available free of charge for 30 days.
ICS-CERT also added a list of Digi devices to the list of unaffected ICS services. This was also found on the Digi web site link identified above.
This advisory reports on an information disclosure vulnerability on the Ecava IntegraXOR product that was reported by Andrea Micalizzi, aka rgod, in a coordinated disclosure via the Zero Day Initiative. Ecava has produced a new version that mitigates the vulnerability, but there is no indication in the advisory that Micalizzi has verified the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to obtain clear text administrative credentials and own the system.
The Ecava vulnerability note provides additional mitigation measures that can be employed to mitigate the vulnerability until the patch is put into place. They note that since the complete project URL is need to exploit this vulnerability, owner/operators should avoid publication of the full URL. They also recommend avoiding the use of the default port number.