This morning the US-CERT (NOT my normal ICS-CERT)
published an alert for a TLS/DTLS heartbeat functionality vulnerability in the
OpenSSL system. Now I don’t normally follow US-CERT vulnerability announcements
very closely, but it has been pointed out
that this vulnerability may have a very big control system component.
The Vulnerability
US-CERT notes that a remote attacker with a publicly
available exploit could gain access to sensitive data, possibly including user
authentication credentials and secret keys, through incorrect memory handling
in the TLS heartbeat extension. This could allow the attacker to decrypt data,
obtain log-in credentials, or perform man-in-the-middle attacks using the
OpenSSL protocols.
There is an interesting discussion of this
vulnerability at HeartBleed.com.
The
Control System Connection
The popular press has made the point that this makes
a number of supposedly secure communications protocols vulnerable. One such
protocol could be an organizations virtual private network (VPN). Since
ICS-CERT has been pushing the use of VPN for ‘secure’ remote connections to control
systems, a number of people are using the OpenSSL protocol to connect with
their control system. These ‘secure’ connections are now vulnerable.
In a
post over on the SCADASEC list at Infracritical.com Jake Brodsky notes that
“this is a problem with the source code of OpenSSL/TLS. This code is embedded
in many places, including many SCADA RTUs and associated network hardware”.
People are going to have to do some hard looking to find all of the
implementations of this system and get them corrected.
It would be real nice if ICS-CERT were to get out in
front of the control system vulnerability side of this issue.
Posts
No comments:
Post a Comment