Recent discoveries identified a vulnerability in Siemens SIMATIC programmable logic controller (PLC), which can be exploited to retrieve the hardcoded, global private cryptographic keys and seize control of the devices.
Identified as CVE-2022-38465 and rated 9.3 on the CVSS scoring scale, the vulnerability has been addressed by the German industrial manufacturing company, as part of security updates issued this week.
Summary
Cybersecurity company Claroty published a report in which their Team82 researchers have recovered a global hardcoded cryptographic key (CVE-2022-38465) used by each Siemens affected product line. According to the report, an attacker can use these keys to perform multiple advanced attacks against Siemens SIMATIC devices and the related Totally Integrated Automation (TIA) Portal, while bypassing all four of its access level protections.
A malicious actor could use this secret information to compromise the entire SIMATIC S7-1200/1500 product line in an irreparable way.
The Hacker News listed the impacted products and versions:
- SIMATIC Drive Controller family (all versions before 2.9.2)
- SIMATIC ET 200SP Open Controller CPU 1515SP PC2, including SIPLUS variants (all versions before 21.9)
- SIMATIC ET 200SP Open Controller CPU 1515SP PC, including SIPLUS variants (all versions)
- SIMATIC S7-1200 CPU family, including SIPLUS variants (all versions before 4.5.0)
- SIMATIC S7-1500 CPU family, including related ET200 CPUs and SIPLUS variants (all versions before V2.9.2)
- SIMATIC S7-1500 Software Controller (all versions before 21.9), and
- SIMATIC S7-PLCSIM Advanced (all versions before 4.0)
Further, Team82 demonstrated, by extracting the PLC’s hardcoded private key, multiple attack scenarios including decryption of all communication between S7 PLCs and an EWS, decryption of the configured password hash on the PLC, something that in the wrong hands might lead to Man-in-the-Middle attacks, and more.
Mitigations
The German manufacturer has not remained silent about the issue and recommends updating affected devices. Further, users who are not able to update are urged to follow the workarounds and mitigations found in the company`s report, in order to minimize the risk of attacks.
As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security, and to follow the recommendations in the product manuals.
In addition, to mitigate the risk of attacks facilitated by CVE-2022-38465, Siemens SIMATIC users are advised to apply defense in depth strategies.
Other Siemens Issues
The findings are the latest in a series of major flaws that have been discovered in software used in industrial networks, The Hacker News claims.
In June, the same cybersecurity experts reported multiple issues in Siemens SINEC network management system (NMS). Then, the vulnerabilities had the potential of exposing Siemens devices to malicious activities, such as Denial-of-Service attacks, credential leaks, and even remote code execution.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.