Unpatched OpenSSL holes found on Siemens ICSs

A number of Siemens industrial products have been found sporting four vulnerabilities in their OpenSSL implementation, which could lead to man-in-the-middle (MitM) attacks or the crashing of web servers of the products.

The flaws can be exploited remotely, and exploits that target these OpenSSL vulnerabilities are publicly available, the US Industrial Control Systems Cyber Emergency Response Team (ISC CERT) warned on Thursday.

Of the six affected products, security updates for patching the holes are available only for two.

Until the other four receive a patch, the company has issued a list of actions customers can undertake to mitigate the risk of attacks.

“The affected Siemens industrial products are for process and network control and monitoring in critical infrastructure sectors such as Chemical, Critical Manufacturing, Energy, Food and Agriculture, and Water and Wastewater Systems,” ISC CERT noted. “The vulnerabilities identified could impact authenticity, integrity, and availability of affected devices.”

“Impact to individual organizations depends on many factors that are unique to each organization,” they noted, and added that assets owners can additionally protect their systems against general cybersecurity risks by – if possible – making sure they are not accessible from the Internet; by putting the systems behing firewalls and isolating them from the business network; and by using secure methods to access them remotely.

Don't miss