This updated advisory is a follow-up to the original advisory titled ICSA-22-167-14 Siemens OpenSSL Affected Industrial Products (Update A) that was published July 14, 2022, on the ICS webpage on cisa.gov/ics.
Successful exploitation of this vulnerability could create a denial-of-service condition in the affected products. Siemens reported this vulnerability to CISA.
The following Siemens industrial products are affected:
- Industrial Edge – OPC UA Connector: All versions prior to v1.7
- Industrial Edge – SIMATIC S7 Connector App: All versions prior to v1.7.0
- RUGGEDCOM CROSSBOW Station Access Controller: All versions only running on ROX
- RUGGEDCOM RM1224 LTE(4G) EU: All versions
- RUGGEDCOM RM1224 LTE(4G) NAM: All versions
An attacker can trigger an infinite loop by crafting a certificate that has invalid explicit curve parameters, which could result in a denial-of-service condition. CVE-2022-0778 has been assigned to this vulnerability.
Siemens has released updates for several affected products and recommends updating to the latest versions available. Siemens is preparing further updates and recommends countermeasures for products where updates are not yet available or will not be developed. Please see Siemens SSA-712929 to determine if there is an update available.
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.
For more information see Siemens Security Advisory SSA-712929.
