Database and web interfaces to customers, vendors, and enterprise resource planning interfaces.PLCs with add-on Ethernet/web cards with secure web connections.PLCs with built in Ethernet/web cards with secure web connections.Specific types of networking equipment have been determined to be more likely to contain the OpenSSL vulnerability and they are as follows: Any component connected to the ICS network that is based on Microsoft technologies may not be vulnerable because Microsoft does not typically use OpenSSL.Any component connected to the ICS network that was deployed or last updated prior to 2012 will not have the OpenSSL vulnerability because the OpenSSL vulnerability did not exist prior to 2012 and.Any component connected to the ICS network that offers secure external communication should be evaluated. There are three general guidelines that can be applied to determine a starting point for evaluating ICS networks for the OpenSSL vulnerability: It is extremely common for a set of ICS credentials to have nearly unlimited access throughout the ICS network, which is different from IT networks that typically limit user access to execute job specific duties.Įxternal connections commonly used in the ICS network include VPN connections, database and web interfaces, and secure FTP and other secure data transfer connections. If ICS network credentials are exfiltrated, which can be done with the successful exploitation of the OpenSSL vulnerability, it is possible for an attacker to exercise substantial control over an ICS network. The OpenSSL vulnerability can be present in hosts, clients, and client software. These external communication connections are susceptible to the OpenSSL vulnerability, which could be used to exfiltrate credentials for access to components on the ICS network. The ideal ICS network is isolated from the enterprise network and contains little to no external communication connections however, business demands are requiring increased communication with the ICS network from external networks. The Open Source toolkit is known to be deployed in some secure communication devices used in ICS networks. The OpenSSL Project is an ongoing volunteer-driven collaborative multinational development effort for the Open Source toolkit, implementing the s ecure sockets layer (SSL) and TLS protocols, as well as a general purpose cryptography library. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation. Impact to individual organizations depends on many factors that are unique to each organization. An attacker who successfully exploits this vulnerability may obtain the user credentials and cryptographic keys used to access the device. The location of this document is as follows:Ī missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64 kB of memory on a connected device. This document also contains a list of vendors, products, and product versions that has evaluated their products and have asserted that their products are not affected by the OpenSSL vulnerability. ICS-CERT has produced an OpenSSL affected/unaffected products list that specifies which vendors, products, and product versions are affected by the OpenSSL vulnerability. The following OpenSSL libraries are affected: Exploits that target this vulnerability are known to be publicly available. This vulnerability could be exploited remotely. OpenSSL Version 1.0.1g addresses and mitigates this vulnerability. The OpenSSL (Heartbleed) vulnerability has been identified in OpenSSL Versions 1.0.1 through 1.0.1f and 1.0.2-beta1 that contain a flaw in the implementation of the transport layer security/datagram transport layer security (TLS/DTLS) heartbeat functionality. , web site last accessed May 15, 2014. , web site last accessed May 15, 2014. The OpenSSL (Heartbleed) vulnerability was independently identified by both Neel Mehta of Google Security on April 1, 2014, and 2 days later by a team of security engineers Riku, Antti, and Matti at Codenomicon. This advisory is a follow-up to the updated alert titled ICS-ALERT-14-099-01E Situational Awareness Alert for OpenSSL Vulnerability that was published April 29, 2014, on the NCCIC/ICS-CERT web site.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |