This afternoon the DHS ICS-CERT published their advisory for
the ABB version of the HeartBleed vulnerability affecting the Relion 650 series
application used in the electrical sector. ABB has self-reported the effect on
their system of the HeartBleed bug. The ABB implementation affects both the use
of the FTPS protocol and the tool protocol. ABB has not yet produced the
expected ‘maintenance release’ that will mitigate this vulnerability.
The ABB
security advisory on this issue is dated April 22nd, 2014 and
was identified in last weeks ICS-CERT Situational Awareness Alert Update. It
notes that as of that date there had been no identified exploits of this
vulnerability in ABB devices.
No Update of
HeartBleed Alert
As of this evening ICS-CERT had not produced a new update of
their Situational Awareness Alert for the HeartBleed vulnerability reflecting
this ABB advisory. That is probably because there is no new information in this
advisory that wasn’t available last
week when the last SAA update was issued.
Interestingly, ICS-CERT still hasn’t published an advisory
for the vulnerable Digi systems that were also identified (along with this ABB
vulnerability) in the last update. This is especially odd since Digi was
expecting to publish a fix on April 21st, the week before the last
SAA update. There is at least one (for Digi
Embedded Yocto 1.4) Digi OpenSSL fix published on their web site.
No comments:
Post a Comment