Heartbleed Vulnerability in WinCC OA 3.12

Discussion about security topics in WinCC OA!
Search

Post Reply
1 post • Page 1 of 1
User avatar
agruber
Posts: 146
Joined: Tue Sep 07, 2010 12:52 pm

Heartbleed Vulnerability in WinCC OA 3.12

Post by agruber » Thu Apr 24, 2014 9:45 am

Dear customer,

The included version of OpenSSL in the Windows version of WinCC OA 3.12 has a critical security weakness, known as heartbleed bug. This allows an attacker to anonymously download a random chunk of memory from the server. More information about this can be found at: http://heartbleed.com/

Siemens has also launched an advisory report for this vulnerability in WinCC OA, which can be found here.
http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-635659.pdf

The upcoming patch P006 for the Windows version of WinCC OA includes patched OpenSSL 1.0.1e 64bit libraries for Windows, which solves this weakness. The 32bit libraries do not need to be changed, because they are not used on server side by WinCC OA.

For Linux it is sufficient to install the operating system updates for OpenSSL to solve this security weakness.

Given the fact that attacks towards the OpenSSL vulnerability described can not be traced, all generated SSL certificates must be regenerated in order to be certain the proxy server connection is not compromised.

If you have signed your certificates with a Certificate Authority (CA), you need to check your CA how compromised keys can be revoked and new certificate reissued for the new keys. Some CAs do this for free, some may take a fee.

Older versions of WinCC OA or PVSS are not affected by this vulnerability.

Best regards,
Andreas Gruber
WinCC OA/PVSS Support

Post Reply
1 post • Page 1 of 1