This afternoon the DHS ICS-CERT updated their ‘Situational
Awareness Alert for OpenSSL Vulnerability’, commonly referred to as the
HeartBleed bug. The information added to date is the most extensive to date and
includes:
• An advance notice about an
ICS-CERT Advisory for HeartBleed in Atvise;
• An extensive (but probably not
exhaustive) list of ICS related applications and devices that have been
determined not to be affected by HeartBleed;
• A reminder that while older
versions of OpenSSL may not be affected by HeartBleed, they do have their own
known vulnerabilities; and
• A reminder that the use of SHODAN
and other search engines may make it relatively easy to find ICS components
that are susceptible to HeartBleed.
Atvise
ICS-CERT took the unusual step of announcing that an “ICS-CERT
advisory [was] coming soon” for the Certec atvise scada products. It provides a
link to the atvise
notice about the vulnerability. That stilted notice (okay I lived in Berlin
for 7 years and my German syntax was way worse at its best than this English
language notice) claims that while some versions of their products have the
HeartBleed bug “but wasn't affected by known attacks”. Now they “face new kinds
of attacks found nearly daily”. I certainly look forward to hearing more about
the ‘new kinds of attacks’ on a SCADA system.
Atvise does have a patch available for the vulnerable
OpenSSL components.
Systems Not Affected
There is a fairly long list of systems here that are not
affected by the HeartBleed bug because either they ‘don’t use OpenSSL’ or ‘don’t
use an affected version of OpenSSL’. Unfortunately there is not an actual
control system or component on the list. They are all either communications
tools or security tools. This list will be invaluable to a security manager or
integrator. It does let them concentrate of other parts of their systems, but
it is strangely unhelpful for control systems.
The lack of any control system applications or devices on
the list is more than a little disconcerting. Two weeks into the public
discussion of HeartBleed and we have two vendors (Siemens and atvise) self-identifying
their infection with this bug, but no one saying that they are infection free.
At this point I think that any ICS system that has not identified itself as
being free of HeartBleed should, for the sake of safety and security, must be
considered to be infected until proven otherwise.
Other OpenSSL
Vulnerabilities
There have been any number of system vendors that have
bragged that their system uses an older version of OpenSSL that is not affected
by HeartBleed. Today’s update reminds people that earlier versions of the
software have their own problems that should not be ignored. The Update provides
a link to the OpenSSL
web page that lists a large number of reported vulnerabilities in the
system. If all of the patches and upgrades have not been applied to earlier
versions, there may be more serious problems than HeartBleed.
SHODAN and Others
Any time you have a widespread vulnerability like HeartBleed
it is valuable to be reminded that search engines like SHODAN make it relative easy
for people to find vulnerable systems. That combined with the wide spread availability
of automated attack and exploit tools makes it easier for both the opportunistic
and targeted attackers to gain access to improperly secured systems.
ICS-CERT notes in the Alert that: “As tools and adversary
capabilities advance, ICS-CERT expects that exposed systems will be more
effectively discovered, and targeted.” They also remind owner/operators that
they can use many of the same tools to discover if their systems are
vulnerable. Knowing that their systems are accessible and vulnerable should
allow owners to better protect their systems.
Posts
No comments:
Post a Comment