This morning the US-CERT (NOT my normal ICS-CERT) published an alert for a TLS/DTLS heartbeat functionality vulnerability in the OpenSSL system. Now I don’t normally follow US-CERT vulnerability announcements very closely, but it has been pointed out that this vulnerability may have a very big control system component.
US-CERT notes that a remote attacker with a publicly available exploit could gain access to sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension. This could allow the attacker to decrypt data, obtain log-in credentials, or perform man-in-the-middle attacks using the OpenSSL protocols.
There is an interesting discussion of this vulnerability at HeartBleed.com.
The Control System Connection
The popular press has made the point that this makes a number of supposedly secure communications protocols vulnerable. One such protocol could be an organizations virtual private network (VPN). Since ICS-CERT has been pushing the use of VPN for ‘secure’ remote connections to control systems, a number of people are using the OpenSSL protocol to connect with their control system. These ‘secure’ connections are now vulnerable.
In a post over on the SCADASEC list at Infracritical.com Jake Brodsky notes that “this is a problem with the source code of OpenSSL/TLS. This code is embedded in many places, including many SCADA RTUs and associated network hardware”. People are going to have to do some hard looking to find all of the implementations of this system and get them corrected.
It would be real nice if ICS-CERT were to get out in front of the control system vulnerability side of this issue.