Updated December 9, 2011
The download page for FactoryLink install media is protected
by your serial number. Only customers who have a valid serial number received through the order entry process will have access.
The Security Updates are available for download below.
There were six vulnerabilities publically reported March 21, 2011 and two vulnerabilities were privately reported November 1, 2011
effecting FactoryLink versions 6.0.4 and higher. The publically reported vulnerabilities are:
|1. VRN message protocol allows reading arbitrary files through its socket.||21Mar2011||Siemens Update|
|2. VRN has vulnerabilities to malformed messages received on its socket.||21Mar2011||Siemens Update|
|3. Servers abort when 3rd party client sends a large or invalid packet. ||21Mar2011||Siemens Update|
|4. CSService message protocol allows browsing and reading arbitrary files. (version 8.x only) ||21Mar2011||Siemens Update|
|5. CSService vulnerable to malformed network packets. (version 8.x only) ||21Mar2011||Siemens Update|
|6. Server tasks are subject to denial of service attacks.||21Mar2011||Configuration|
|7. Long strings entered in the location URL causes the WebClient activex to raise access violation.||01Nov2011||Siemens Update
|8. Any file name could be entered in the save method for the activex "ActBar.ocx".||01Nov2011||MS Hotfix|
At the present time, we are not aware of any current threat to our product by malware targeting the alleged vulnerabilities.
The security updates below address vulnerability numbers 1 through 5 and number 7 and are for FactoryLink versions 6.6.1, 7.5.2,
and 8.0.2. These versions represent the last maintenance releases of the last 3 major releases of FactoryLink and are being provided
as a service to our customers.
Note: The security updates below are cumulative and supersede earlier versions and should be reapplied to any FactoryLink
system having already received an earlier version of the security update.
If you are running a different version of FactoryLink and require this security update, we recommend you upgrade to one of
these versions of FactoryLink and apply the appropriate security update.
Vulnerability 6 does not require an update / hotfix and can be addressed by a configuration change to your FactoryLink
application. Please refer to the documentation included with the updates for more details.
Vulnerability 8 effects a 3rd party ActiveX control, ActBar.ocx which is distributed with FactoryLink versions 7.x and 8.x
for use in FactoryLink's Client Builder. This vulnerability has been addressed in the Microsoft update referenced in the
Security Advisory listed below. This update prevents Actbar.ocx from being loaded by Internet Explorer(IE). The usage of
ActBar.ocx within Client Builder does not expose the vulnerable methods of the control to rogue web pages.
Siemens recommends installing the Microsoft update referenced in the Microsoft Security Advisory 2562937:
Update Rollup for ActiveX Kill Bits
Download Microsoft Security Advisory 2562937
Siemens recommends that our customers check their adherence to the recommended security practices as detailed by US-CERT. The recommended practices can be found here:
Control Systems Security Program (CSSP) - Recommended Practices
For more information, please refer to www.siemens.com/industrialsecurity and Siemens_Security_Advisory_SSA-850510:
Siemens Security Advisory SSA-850510