Today the DHS ICS-CERT published five advisories; one an update of the generic OpenSSL Alert and two new control system HeartBleed advisories, a security certificate advisory and a good ‘old-fashioned’ SQL Injection advisory.
Generic OpenSSL Advisory
Instead of continuing to provide ‘letter’ updates to the original OpenSSL Alert (last updated 4-29-14), ICS-CERT upgraded the document to an Advisory. There is a lot of new information in the new Advisory, including discussions of:
• The vulnerability;
• Mitigation overview;
• OpenSSL scanning;
• Detection signatures;
• Specialized search engines;
At first glance it is disappointing that there is not a list of affected and unaffected systems included in the Advisory the way there was in the earlier Alert. On closer inspection there is a download link to a spread sheet that provides that information in much more detail. I would have preferred something that would have let you know the latest date that the list had been updated (today’s was last updated 5-15-14).
Two Product Specific HeartBleed Advisories
The two product specific Advisories are for products from Unified Automation and Schneider. The UA advisory contains a link to their description of the HeartBleed vulnerability. The Schneider advisory notes that the problem is not actually theirs; it exists in a third party component (from Tableau Software). As always this raises the question of what other vendors may be using the offending application in their products and thus have the same vulnerability.
This advisory is for an SQL injection advisory for CSWorks software. The vulnerability was reported by John Leitch in a coordinated disclosure via the Zero Day Initiative. CSWorks has produced an updated version that mitigates the vulnerability, though there is no mention if Leitch has verified the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to possibly execute arbitrary code.
The CSWorks security release for this vulnerability reminds system administrators that under “no circumstances should administrators give root access to CSWorks”.
This advisory is for a certificate verification vulnerability in the Siemens RuggedCom Rox devices. This is apparently a self-identified vulnerability and Siemens is still working on firmware updates for the affected systems.
ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to execute a man-in-the-middle attack.
Pending the production of firmware updates Siemensrecommends the following interim mitigation measures:
• Secure Syslog: Siemens recommends placing the syslog server inside the trusted
network boundary until a corrected update is made available.
• Software upgrade: When updating devices running the affected ROX versions, the
identity of the update server cannot be ensured. Siemens recommends placing the
upgrade server inside the trusted network boundary.
• FTPS: Siemens recommends using SFTP for data transfer until a corrected update is available.