Heartbleed Vulnerability in WinCC OA 3.12
The included version of OpenSSL in the Windows version of WinCC OA 3.12 has a critical security weakness, known as heartbleed bug. This allows an attacker to anonymously download a random chunk of memory from the server. More information about this can be found at: http://heartbleed.com/
Siemens has also launched an advisory report for this vulnerability in WinCC OA, which can be found here.
The upcoming patch P006 for the Windows version of WinCC OA includes patched OpenSSL 1.0.1e 64bit libraries for Windows, which solves this weakness. The 32bit libraries do not need to be changed, because they are not used on server side by WinCC OA.
For Linux it is sufficient to install the operating system updates for OpenSSL to solve this security weakness.
Given the fact that attacks towards the OpenSSL vulnerability described can not be traced, all generated SSL certificates must be regenerated in order to be certain the proxy server connection is not compromised.
If you have signed your certificates with a Certificate Authority (CA), you need to check your CA how compromised keys can be revoked and new certificate reissued for the new keys. Some CAs do this for free, some may take a fee.
Older versions of WinCC OA or PVSS are not affected by this vulnerability.
WinCC OA/PVSS Support