This afternoon the DHS ICS-CERT published two updated advisories for control system vulnerabilities in Sierra Wireless AirLink products and various Siemens products. Both updates seem to be relatively minor changes to the ICS-CERT document. ICS-CERT does not report on the new information from Sierra Wireless, it just provides a link to the information.
Sierra Wireless Update
This advisory was originally published on January 8th, 2014 and has already been updated once. The purpose of today’s update was to include a link (.PDF download link) to an updated security advisory from Sierra Wireless. The earlier Sierra Wireless publication noted that they would investigate “methods to perform secure firmware updates remotely, and will provide information on this method when available”. The latest update (from May 28th; I wonder why it took ICS-CERT so long to update their advisory? I suspect that they were not informed by Sierra Wireless of the new information) provides those “details”:
• “Directly attaching a PC running the firmware update tool to the device via an Ethernet cable; or
• “Connecting to the device via VPN and performing the update over the VPN tunnel.”
I can see why it would take five months to come up with those useful techniques (SARCASM).
There is something even more interesting in the newest version of the Sierra Wireless documents that ICS-CERT missed in their update. To be fair, I also missed it in looking at the January Sierra Wireless document. The ICS-CERT advisory is specifically targeted at the ‘AirLink Raven X EV-DO product’. Sierra Wireless reports that the same vulnerability exists on the ‘Raven X, Raven XE, Raven XT, PinPoint X, PinPoint XT and MP Products’.
The ‘PinPoint’ products are all listed as “Discontinued, Not Supported” fortunately, the new mitigation measures will work just as well on the older models so perhaps that is why their vulnerability was not reported by ICS-CERT.
Siemens Vulnerability Update
The new data in this update was not provided by Siemens, but was more likely a response to a Siemens complaint about the wording in the initial advisory that made it seem that there were specific exploits directed at the Siemens products. ICS-CERT wrote in the original advisory (no longer available on-line) that:
“Exploits that target these vulnerabilities are known to be publicly available.”
While there are certainly HeartBleed exploits in play, we haven’t heard anything that would specifically point to their use against the Siemens products listed in this advisory (nor any ‘proof’ that they haven’t).
In any case ICS-CERT revised the wording to read:
“Exploits that target OpenSSL vulnerabilities are publicly available. ICS-CERT is unaware of any OpenSSL exploits that target Siemens’ products specifically.”
They are, of course, not saying that no one (sorry about the double negative but it is important and an appropriate use in this context) has specifically targeted these vulnerabilities in the Siemens products. That would be impossible to prove. We can probably take small comfort in the assumption that they probably would not have made this change if they had any reliable information indicating a possible HeartBleed related compromise of a Siemens system.
BTW: Yesterday’s advisories are now listed on the ICS-CERT landing page.