Siemens AG - Product Downloads
HOME
Home  |  Authorization  |  Support  |  Version 8  |  Product Downloads
 
FactoryLink Downloads

The download page for FactoryLink install media is protected by your serial number. Only customers who have a valid serial number received through the order entry process will have access.

The Security Updates are available for download below.

Enter a valid FactoryLink 7.5 or 8.0 serial number to access the download page and click Continue.  Then choose the desired media format and components you need.


SECURITY UPDATE
Updated December 9, 2011

General Information

There were six vulnerabilities publically reported March 21, 2011 and two vulnerabilities were privately reported November 1, 2011 effecting FactoryLink versions 6.0.4 and higher. The publically reported vulnerabilities are:

Reported Vulnerability Date reported Corrected With
1. VRN message protocol allows reading arbitrary files through its socket.21Mar2011Siemens Update
2. VRN has vulnerabilities to malformed messages received on its socket.21Mar2011Siemens Update
3. Servers abort when 3rd party client sends a large or invalid packet. 21Mar2011Siemens Update
4. CSService message protocol allows browsing and reading arbitrary files. (version 8.x only) 21Mar2011Siemens Update
5. CSService vulnerable to malformed network packets. (version 8.x only) 21Mar2011Siemens Update
6. Server tasks are subject to denial of service attacks.21Mar2011Configuration
7. Long strings entered in the location URL causes the WebClient activex to raise access violation.01Nov2011Siemens Update
8. Any file name could be entered in the save method for the activex "ActBar.ocx".01Nov2011MS Hotfix

At the present time, we are not aware of any current threat to our product by malware targeting the alleged vulnerabilities.

Recommendations

The security updates below address vulnerability numbers 1 through 5 and number 7 and are for FactoryLink versions 6.6.1, 7.5.2, and 8.0.2. These versions represent the last maintenance releases of the last 3 major releases of FactoryLink and are being provided as a service to our customers.
Note: The security updates below are cumulative and supersede earlier versions and should be reapplied to any FactoryLink system having already received an earlier version of the security update.

   SecurityUpdate802.305
   SecurityUpdate752.1401
   SecurityUpdate661.305

If you are running a different version of FactoryLink and require this security update, we recommend you upgrade to one of these versions of FactoryLink and apply the appropriate security update.

Vulnerability 6 does not require an update / hotfix and can be addressed by a configuration change to your FactoryLink application. Please refer to the documentation included with the updates for more details.

Vulnerability 8 effects a 3rd party ActiveX control, ActBar.ocx which is distributed with FactoryLink versions 7.x and 8.x for use in FactoryLink's Client Builder. This vulnerability has been addressed in the Microsoft update referenced in the Security Advisory listed below. This update prevents Actbar.ocx from being loaded by Internet Explorer(IE). The usage of ActBar.ocx within Client Builder does not expose the vulnerable methods of the control to rogue web pages.

Siemens recommends installing the Microsoft update referenced in the Microsoft Security Advisory 2562937:

Update Rollup for ActiveX Kill Bits

Download Microsoft Security Advisory 2562937

Siemens recommends that our customers check their adherence to the recommended security practices as detailed by US-CERT. The recommended practices can be found here:

Control Systems Security Program (CSSP) - Recommended Practices

For more information, please refer to www.siemens.com/industrialsecurity and Siemens_Security_Advisory_SSA-850510:


Siemens Security Advisory SSA-850510

 
Contact Us
mail
Copyright © 2011 Siemens Product Lifecycle Management Software Inc.