Heartbleed Vulnerability Update
April 25, 2014
Invensys, now a part of Schneider Electric, is committed to ensuring that our customers and employees are kept current on issues that might affect or improve product, system or process operation. We are dedicated to providing product and application reliability, and exceptional client service.
Customer Advisories are intended to inform you of the possibility of a situation occurring at system installations, and the identified resolution. Invensys recommends that our customers consider taking action to help prevent occurrence of the identified situation during your production process.
Potential Security Vulnerability:
It is recognized that the global threat environment is constantly changing and we are committed to helping our customers protect the security of their installations. We have reviewed the issue described in this Customer Advisory and determined that, if no action is taken, there is potential for a security vulnerability that could allow an attacker to compromise the integrity, availability, or confidentiality of a product. We strongly advise customers to take note of the actions recommended, to test such actions or patches on non-production systems as able, prior to deployment into production environments. This approach is recommended in order to minimize risk and exposure to announced vulnerabilities.
This advisory applies to all Foxboro Evo™ Process Automation System, I/A Series®, Foxboro® Control Software, I/A Series® SCADA and Triconex users.
On April 8, 2014, US-CERT released alert (TA14-098A) “OpenSSL 'Heartbleed' vulnerability.” This vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.
We have performed a review of our product offering looking for indication of products that may be affected by the Heartbleed OpenSSL issue, which is a publicly known vulnerability affecting versions 1.0.1 through version 1.0.1f of the OpenSSL cryptographic software library. To this end, we have assembled an internal task force across our business to investigate which, if any, Schneider Electric Process Automation products are affected by this issue.
This vulnerability was not directly found in any Foxboro Evo, I/A Series, Foxboro Control Software, I/A Series SCADA and Triconex product. However, it is present in the McAfee ePolicy Orchestrator (ePO) product supported by I/A Series v8.5 and newer, as well as Foxboro Evo. Two versions of McAfee ePO with this vulnerability have been released by Invensys (now Schneider Electric): McAfee ePO 4.6 Patch 1 (build 1192) in kit number K0201FV and McAfee ePO 4.6 Patch 6 (build 176) an upgrade that was released on August 9, 2013. No other products reviewed are impacted by this issue.
ACTIONS OR RESOLUTIONS
Procedures for backing up the current version of McAfee ePO and for installing McAfee’s OpenSSL Heartbleed vulnerability hotfix for ePO version ePO 4.6 Patch 1 (build 1192) and McAfee ePO 4.6 Patch 6 (build 176) are available at the following link:
|GCS Center||America's GCS||Asia Pacific GCS||EMEA GCS|
|Location||Foxboro MA USA||Shanghai||Baarn NL|
|Phone||+1-866-746-6477||+86 21 37180086||+31-3554-84125|
|Fax||+1-508-549-4999||+86 21 37180196||+31-3554-84230|
|America's GCS||Asia Pacific GCS||EMEA GCS|
Global Customer Support
Distribution to Invensys Customers and Internal Personnel Only
DO NOT REPRODUCE.
All trademarks are registered to their respective owners.
All brand names are property of their respective owners.
All Rights Reserved.