This afternoon the DHS ICS-CERT published their advisory for the ABB version of the HeartBleed vulnerability affecting the Relion 650 series application used in the electrical sector. ABB has self-reported the effect on their system of the HeartBleed bug. The ABB implementation affects both the use of the FTPS protocol and the tool protocol. ABB has not yet produced the expected ‘maintenance release’ that will mitigate this vulnerability.
The ABB security advisory on this issue is dated April 22nd, 2014 and was identified in last weeks ICS-CERT Situational Awareness Alert Update. It notes that as of that date there had been no identified exploits of this vulnerability in ABB devices.
No Update of HeartBleed Alert
As of this evening ICS-CERT had not produced a new update of their Situational Awareness Alert for the HeartBleed vulnerability reflecting this ABB advisory. That is probably because there is no new information in this advisory that wasn’t available last week when the last SAA update was issued.
Interestingly, ICS-CERT still hasn’t published an advisory for the vulnerable Digi systems that were also identified (along with this ABB vulnerability) in the last update. This is especially odd since Digi was expecting to publish a fix on April 21st, the week before the last SAA update. There is at least one (for Digi Embedded Yocto 1.4) Digi OpenSSL fix published on their web site.