14 DAY TRIAL // The OpenSSL vulnerability known as the Heartbleed bug has impacted a large number of websites and services, including industrial products. Siemens, one of the affected organizations, has started rolling out updates to make sure its products are secure.
According to SecurityWeek, Siemens published an advisory last week to inform customers of fixes for eLAN-8.2 eLAN versions prior to 8.3.3 and WinCC OA V3.12. While WinCC OA is affected in all circumstances, eLAN is only impacted when RIP is utilized.
There are still some industrial products that haven’t been patched by the company. The list includes S7-1500 V1.5, which is affected only when HTTPS is active; CP1543-1 V1.1, affected when FTPS is active; and APE 2.0, affected when the SSL/TLS component is used in customer implementation.
Updates for these remaining pieces of software are being prepared. Meanwhile, customers are advised to apply the workarounds described in the security advisory.
Heartbleed attacks against these Siemens products are mitigated by the fact that the attacker must have network access to the devices.
The company recommends users to change their passwords and reissue certificates after the devices have been secured.
Siemens has credited Joel Langill with Infrastructure Defense Security Services for reporting and coordinating the disclosure of the security issues.