Siemens industrial products Shellshocked

German multinational electronics and engineering giant Siemens has warned that an unknown number of its industrial control and communications products are vulnerable to the Bash command interpreter bug, known as Shellshock.

The Shellshock vulnerable products are the Ruggedcom ROX 1 and ROX 2 Linux-based operating systems in firmware used in ruggedised industrial routers.

In its advisory [PDF], Siemens said all versions of ROX 1 and 2 are affected but only if the Dynamic Host Control Protocol (DHCP) service used to automatically allocate IP addresses to other devices is activated.

Siemens said customers should turn off DHCP on ROX 1 and ROX 2 systems, and use static IP address allocation instead until patches are available.

Its APE LInux version 1.0, which is based on the Debian Linux distribution, is also fully vulnerable to Shellshock. Siemens advised customers to patch Bash on those systems.

The products in question are used in networks that monitor and control processes, for criticial infrastructure such as power generation, manufacturing, food and agriculture and transportation.

Shellshock is rated a ten out of ten, or most critical, in the Common Vulnerability and Exposures (CVE) tracking and ranking system, and affects a large number of Linux distributions as well as UNIX-like operating systems that feature the Bash command line interpreter.

The security hole allows for the easy remote exploitation of vulnerable systems, allowing attackers full control.

Siemens issued patches in August [PDF] this year to plug vulnerabilities against Heartbleed in the OpenSSL cryptographic library, that would otherwise have permitted attackers to invisibly access data on its industrial products.