Earlier today the DHS ICS-CERT published an advisory for the HeartBleed vulnerability in various products from Digi. I discussed most of this information in my last HeartBleed post. New information: ICS-CERT reports that firmware updates are available “for most vulnerable Digi International devices”, but does not provide a list. The link provided takes one to a generic product support page where you enter your product name or select a key word to search for; neither HeartBleed nor OpenSSL are available terms.
ICS-CERT is again publishing a HeartBleed advisory without updating their Situational Awareness Alert. I almost don’t blame them as they would be quickly going to have to go to double letters to identify new updates if they updated the SA every time new information became available.
It would probably have been better to have had a HeartBleed web page to keep updating with new information on vulnerable, formerly vulnerable, and not vulnerable ICS products. Joel Langill over at SCADAHacker.com takes that type of approach. He is currently listing two ‘new’ ICS related vendors, Certes Networks and Unified Automation, as having products with HeartBleed vulnerabilities.
A reader of this blog, Rob Hulsebos, posted a comment on the LinkedIn Cyber Security in Real Time Systems group providing links to HeartBleed information for Emerson, and Insys.
There is probably more ICS HeartBleed information out there if you have the time to search. It sure would be nice if ICS-CERT were doing that for the community.