Several Siemens products used for process and network control and monitoring in critical infrastructure sectors are affected by four vulnerabilities in the company's OpenSSL cryptographic software library.
The vulnerabilities – CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470 – can be exploited remotely, and fairly easily, to hijack a session as part of a man-in-the-middle attack or to crash the web server of the product, according to a Thursday ICS-CERT post.
Siemens has already issued updates for APE versions prior to version 2.0.2 and WinCC OA (PVSS), but has only issued temporary mitigations for CP1543-1, ROX 1, ROX 2, and S7-1500.
The products are typically used in the chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems sectors, according to the post.