Heartbleed bug in OpenSSL
Our systems are NOT affected!
Diverse media report a serious leak in the software OpenSSL; the leak is known as "heartbleed" .
OpenSSL is a popular software for encryption of data and communication.
We as well use OpenSSL as serices in https, FTPs and IPsec for VPN tunneling.
The embedded release in our systems is NOT affected.
The encryption with OpenSSL is offered starting with release setIT V4.008.001 to comply with the need of secured IT according to BDEW whitepaper e.g.. The services may be activated to secure the communication and data links inbetween RTU and central control stations or diagnostics with a web-server. Plants using elder releases do not use OpenSSL and therefore are not affected.
Anyway, installations may be vulnerable, if external components such as router and GPRS-modems are installed, using OpenSSL release 1.0.1 to 1.0.1f. We currently collect the information and promise to inform you spontaneously, if any vulnerability may be detected.
Dr. Neuhaus reports, the models TAINY-EMOD and TAINY-HMOD series are NOT affected.
The newest information from Lucom: Modems of type ER75i are not affected.
LANCOM Router as well are NOT affected LANCOM announces:
LCOS uses the encryption algorithm of OpenSSL library but does not carry the Heartbleed-bug since the the functionality of TLS-stacks is done by an own development of LANCOM Systems.
Astaro/sophos Router of the new releases may be affected, if release UTM 9.1 or 9.2 is installed.
At our point of view, none of the installed routers in our projects carries this releases.
A brandnew post announces an update by sophos:
UTM Version 9.111-17 available now, Fix: OpenSSL vulnerability: TLS heartbeat read overrun (CVE-2014-0160)
The leak is officially known as "CVE-2014-0160". More information my be found in :
Picture credits:© heartbleed.com© Jürgen Fälchle - fotolia.com