Siemens industrial switches vulnerable to DROWN decryption bug

Siemens is working on a patch to address multiple industrial switches affected by the recently published DROWN vulnerability.

DROWN, which stands for “Decrypting RSA with Obsolete and Weakened encryption”, is known as a “cross protocol attack”, since it exploits weaknesses in one encryption protocol to attack another.

In this case, an attack on a web server that allows connections over Security Sockets Layer (SSL)v2, a protocol from the 1990s, could undermine the security of connections over Transport Layer Security (TLS), a modern offspring of SSL which is used to encrypt nearly all web connections.

Modern browsers don’t support SSLv2, but millions of web servers do and so it seems do a bunch of Siemens switches deployed in critical infrastructure sectors. Siemens noted in an advisory last week that multiple SCALANCE X switches as well as its Ruggedcom ROX I VPN products are affected by DROWN.

The switches connect Programmable Logic Controls (PLCs) and Human Machine Interfaces (HMI). PLCs are computer devices used to control industrial processes.< HMIs provide a graphical interface to a manufacturing system or industrial process.

The ROX-based VPN endpoint and firewalls devices connect other devices used in harsh environments such as electric utility substations and traffic control cabinets. Affected switches include all version of Siemens' SCALANCE X300 family, the SCALANCE X414, the SCALANCE X200 IRT family, the SCALANCE X200 RNA family, and the SCALANCE X200 family.

According to Siemens, these devices are used in chemical, communications, critical manufacturing, dams, defense industrial base, energy, food and agriculture, government facilities,

The US Department of Homeland Security’s Industrial Control System Cyber Emergency Response Team (ICS-CERT) said that exploits for DROWN are publicly available, however that crafting an exploit for it would be difficult.

Siemens does not have a patch available yet, but suggests that an attacker could not exploit the vulnerability over the internet.

“In order to exploit the vulnerability, the attacker must have network access to the affected devices and must be in a privileged network position,” said Siemens.

Until it releases a patch, it’s advising customers to protect network access to the web server and restrict access to the management interface to an internal network.

Take this 5 minute survey on The State of Cloud Storage & Collaboration 2016 and go in the draw to win a $500 Visa credit card.Start Survey NOW