This afternoon the DHS ICS-CERT updated their ‘Situational Awareness Alert for OpenSSL Vulnerability’, commonly referred to as the HeartBleed bug. The information added to date is the most extensive to date and includes:
• An advance notice about an ICS-CERT Advisory for HeartBleed in Atvise;
• An extensive (but probably not exhaustive) list of ICS related applications and devices that have been determined not to be affected by HeartBleed;
• A reminder that while older versions of OpenSSL may not be affected by HeartBleed, they do have their own known vulnerabilities; and
• A reminder that the use of SHODAN and other search engines may make it relatively easy to find ICS components that are susceptible to HeartBleed.
ICS-CERT took the unusual step of announcing that an “ICS-CERT advisory [was] coming soon” for the Certec atvise scada products. It provides a link to the atvise notice about the vulnerability. That stilted notice (okay I lived in Berlin for 7 years and my German syntax was way worse at its best than this English language notice) claims that while some versions of their products have the HeartBleed bug “but wasn't affected by known attacks”. Now they “face new kinds of attacks found nearly daily”. I certainly look forward to hearing more about the ‘new kinds of attacks’ on a SCADA system.
Atvise does have a patch available for the vulnerable OpenSSL components.
Systems Not Affected
There is a fairly long list of systems here that are not affected by the HeartBleed bug because either they ‘don’t use OpenSSL’ or ‘don’t use an affected version of OpenSSL’. Unfortunately there is not an actual control system or component on the list. They are all either communications tools or security tools. This list will be invaluable to a security manager or integrator. It does let them concentrate of other parts of their systems, but it is strangely unhelpful for control systems.
The lack of any control system applications or devices on the list is more than a little disconcerting. Two weeks into the public discussion of HeartBleed and we have two vendors (Siemens and atvise) self-identifying their infection with this bug, but no one saying that they are infection free. At this point I think that any ICS system that has not identified itself as being free of HeartBleed should, for the sake of safety and security, must be considered to be infected until proven otherwise.
Other OpenSSL Vulnerabilities
There have been any number of system vendors that have bragged that their system uses an older version of OpenSSL that is not affected by HeartBleed. Today’s update reminds people that earlier versions of the software have their own problems that should not be ignored. The Update provides a link to the OpenSSL web page that lists a large number of reported vulnerabilities in the system. If all of the patches and upgrades have not been applied to earlier versions, there may be more serious problems than HeartBleed.
SHODAN and Others
Any time you have a widespread vulnerability like HeartBleed it is valuable to be reminded that search engines like SHODAN make it relative easy for people to find vulnerable systems. That combined with the wide spread availability of automated attack and exploit tools makes it easier for both the opportunistic and targeted attackers to gain access to improperly secured systems.
ICS-CERT notes in the Alert that: “As tools and adversary capabilities advance, ICS-CERT expects that exposed systems will be more effectively discovered, and targeted.” They also remind owner/operators that they can use many of the same tools to discover if their systems are vulnerable. Knowing that their systems are accessible and vulnerable should allow owners to better protect their systems.