OpenSSL Vulnerability

Act NowICS-CERT ICSA-14-135-05Feb 15, 2014

Summary

OpenSSL versions 1.0.1 through 1.0.1f and 1.0.2-beta1 contain a buffer over-read vulnerability (CWE-125, known as Heartbleed) that allows remote attackers to read up to 64 KB of process memory without authentication. This memory read can expose private encryption keys, session tokens, and other sensitive data used by TLS/SSL services. The vulnerability affects any system running the vulnerable OpenSSL library versions that provides TLS/SSL services.

What this means

What could happen

An attacker can read sensitive data (private keys, credentials, configuration data) from memory on systems running vulnerable OpenSSL versions, potentially compromising encrypted communications and gaining unauthorized access to industrial systems.

Who's at risk

Water authorities, electric utilities, and other critical infrastructure operators using OpenSSL in SCADA systems, HMIs, data historians, authentication servers, or any networked control systems with TLS/SSL encryption. This affects any ICS component that relies on OpenSSL for secure communication, including engineering workstations, gateway devices, and remote access systems.

How it could be exploited

An attacker sends a specially crafted TLS message to a system running vulnerable OpenSSL (versions 1.0.1 through 1.0.1f, or 1.0.2-beta1). The vulnerability allows the attacker to read up to 64 KB of memory from the server process without authentication. This could expose private encryption keys, authentication credentials, or other sensitive data that can be used to decrypt communications or impersonate systems.

Prerequisites

OpenSSL 1.0.1 through 1.0.1f or 1.0.2-beta1 installed and running
TLS/SSL service listening and accessible over the network
No authentication required

remotely exploitableno authentication requiredactively exploited (KEV)high EPSS score (94.5%)no patch available for affected versionsaffects encryption and authentication systems

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

OpenSSL: >=1.0.1|<=1.0.1f≥ 1.0.1|≤ 1.0.1f1.0.1g or later

OpenSSL: 1.0.2-beta11.0.2-beta11.0.1g or later

Remediation & Mitigation

0/5

Do now

0/3

HOTFIXUpgrade OpenSSL to version 1.0.1g or later, or 1.0.2-beta2 or later

WORKAROUNDRestrict network access to systems and services using vulnerable OpenSSL versions to only trusted networks or IP addresses via firewall rules

WORKAROUNDDisable TLS/SSL on systems where it is not required for operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGRotate all cryptographic keys and credentials after patching, as they may have been compromised

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate systems running OpenSSL from untrusted networks

CVEs (1)

CVE-2014-0160

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9791ae00-8795-4714-9d64-d456e4c150fa