A vulnerability in the Siemens Simatic programmable logic controller (PLC) could be exploited to obtain hard-coded global private cryptographic keys and take control of devices.
Company network security “An attacker can use these keys to perform a variety of advanced attacks against Siemens SIMATIC devices and related TIA Portals, while bypassing all four measures,” said Claroty industry. protect its access level”.
“A malicious person could use this confidential information to compromise the entire SIMATIC S7-1200/1500 product line in an irreparable way.”
The critical vulnerability, assigned identifier CVE-2022-38465, is rated 9.3 on the CVSS scale and has been addressed by Siemens as part of a security update released on October 11, 2018. 2022.
Below is a list of affected products and versions:
SIMATIC Open Controller family (all versions prior to 2.9.2) SIMATIC ET 200SP 1515SP PC2 Open Controller, including SIPLUS variants (all versions prior to 21.9) SIMATIC ET 200SP CPU Open Controller 1515SP PC, including SIPLUS variants (all versions) SIMATIC S7-1200 CPU family, including SIPLUS variants (all versions prior to 4.5.0) SIMATIC S7-1500 CPU family, including Related ET200 CPU and SIPLUS variants (all versions prior to V2.9.2) SIMATIC S7-1500 Software Controller (all versions prior to 21.9), and SIMATIC S7-PLCSIM Advanced (all versions prior to V2.9.2) version before 4.0)
Claroty said it was able to gain read and write privileges for the controller by exploiting a previously disclosed vulnerability in Siemens PLCs (CVE-2020-15782) that would allow private key recovery.
Doing so will not only allow an attacker to circumvent access controls and overwrite native code, but also gain full control over every PLC on each affected Siemens product family.
CVE-2022-38465 reflects another serious deficiency identified in Rockwell Automation PLC (CVE-2021-22681) last year and could allow an adversary to remotely connect to the controller and upload malicious code, download information from the PLC, or install new firmware.
“The vulnerability is that the Studio 5000 Logix Designer software could allow a secret cryptographic key to be discovered,” Claroty noted in February 2021.
As a workaround and mitigation, Siemens recommends that customers only use legacy PG/PC and HMI communication in trusted network environments and secure access to the TIA Portal and CPU to prevent unauthorized connections.
The German industrial manufacturing company also took the step of encrypting communications between engineering stations, PLCs and HMI control panels using Transport Layer Security (TLS) in TIA Portal version 17, and warned reported that “the possibility of bad actors misusing the global private key increases.”
The discovery is the latest in a series of major flaws that have been discovered in software used in industrial networks. Earlier this June, Claroty detailed more than a dozen issues in the Siemens SINEC network management system (NMS) that could be abused to achieve remote code execution.
Then in April 2022, the company opened two vulnerabilities in Rockwell Automation PLC (CVE-2022-1159 and CVE-2022-1161) that could be exploited to modify user programs and download malicious code. remote controll.