More than three months after the disclosure of the catastrophic Heartbleed vulnerability in the OpenSSL library, critical industrial control systems sold by Siemens remain susceptible to hijacking or crashes that can be triggered by the bug, federal officials have warned.
The products are used to control switches, valves, and other equipment in chemical, manufacturing, energy, and wastewater facilities. Heartbleed is the name given to a bug in the widely used OpenSSL cryptographic library that leaks passwords, usernames, and secret encryption keys. While Siemens has updated some of its industrial control products to patch the Heartbleed vulnerability, others remain susceptible, an advisory published Thursday by the Industrial Control Systems Cyber Emergency Response Team warned.
"The vulnerabilities identified could impact authenticity, integrity, and availability of affected devices," the notice stated. "The man-in-the-middle attack could allow an attacker to hijack a session between an authorized user and the device. The other vulnerabilities reported could impact the availability of the device by causing the web server of the product to crash."