Today the DHS ICS-CERT published a new control system advisory for a Siemens product and provided updates on three separate HeartBleed related documents.
The new Siemens advisory identifies three vulnerabilities in their SINEMA server. Siemens self-reported the vulnerabilities and has published a software update to mitigate the problems. The identified vulnerabilities include:
• Code injection, CVE-2014-2731 (incorrectly listed as CVE-2014-7231);
• Relative path traversal, CVE-2014-2732; and
• Improper input validation, CVE-2014-2733
According to ICS-CERT a relatively unskilled attacker could remotely exploit these vulnerabilities to execute arbitrary code, traverse through the file system, or cause a DoS.
ICS-CERT updated their HeartBleed Situational Awareness Alert by adding a list of ICS related products that have been identified as being specifically affected by the OpenSSL vulnerability. Only two vendors currently have products on the list, Innonminate and Siemens.
The Innominate HeartBleed Advisory was also updated. The Phoenix Contact branded versions of the Innominate devices is not affected by the HeartBleed vulnerability, but Innominate has upgraded them to the latest version to alleviate customer concerns. Only the 8.0.0 and 8.0.1 versions of the mGuard firmware are affected by the vulnerability
ICS-CERT has also provided a link to the latest FBI list of Snort Signatures that may be used to detect attempted exploitation of the HeartBleed vulnerability.