A vulnerability in Siemens Simatic programmable logic controllers (PLCs) can be exploited to obtain the hard-coded global private cryptographic keys and take control of the devices.
“An attacker can use these keys to perform multiple advanced attacks against Siemens SIMATIC devices and its associated TIA Portal while bypassing all four of its access layer protections,” industrial cybersecurity firm Claroty said in a new report.
“A malicious actor could use this secret information to irreparably compromise the entire SIMATIC S7-1200/1500 product line.”
The critical vulnerability with the identifier CVE-2022-38465 has a CVSS score of 9.3 and was fixed by Siemens as part of the security updates released on October 11, 2022.
The list of affected products and versions is below –
- SIMATIC Drive Controller family (all versions before 2.9.2)
- SIMATIC ET 200SP Open Controller CPU 1515SP PC2, incl. SIPLUS variants (all versions before 21.9)
- SIMATIC ET 200SP Open Controller CPU 1515SP PC, including SIPLUS variants (all versions)
- SIMATIC S7-1200 CPU family including SIPLUS variants (all versions before 4.5.0)
- SIMATIC S7-1500 CPU family, including related ET200 CPUs and SIPLUS variants (all versions before V2.9.2)
- SIMATIC S7-1500 Software Controller (all versions before 21.9) and
- SIMATIC S7-PLCSIM Advanced (all versions before 4.0)
Claroty said it was able to gain read and write permissions to the controller by exploiting a previously disclosed flaw in Siemens PLCs (CVE-2020-15782) that allowed private key recovery.
This would not only allow an attacker to bypass access controls and override native code, but also gain full control of each PLC per affected Siemens product line.
CVE-2022-38465 reflects another serious flaw identified last year in Rockwell Automation’s PLCs (CVE-2021-22681) that could have allowed an attacker to remotely connect to the controller and maliciously exploit it Upload code, download information from the PLC, or install new firmware.
“The vulnerability lies in the fact that the Studio 5000 Logix Designer software may allow discovery of a secret cryptographic key,” Claroty noted in February 2021.
As workarounds and remedies, Siemens recommends customers to use legacy PG/PC and HMI communications only in trusted network environments and to secure access to TIA Portal and CPU to prevent unauthorized connections.
The German industrial company has also taken the step of encrypting communications between engineering stations, PLCs and HMI panels with Transport Layer Security (TLS) in TIA Portal version 17, while warning that the “chance of malicious actors, the global misusing private keys, as is increasingly the case.”
The findings are the latest in a series of major bugs discovered in software used in industrial networks. In early June, Claroty detailed over a dozen issues in Siemens’ SINEC network management system (NMS) that could be abused to obtain remote code execution capabilities.
Then, in April 2022, the company uncovered two vulnerabilities in Rockwell Automation PLCs (CVE-2022-1159 and CVE-2022-1161) that could be exploited to modify user programs and download malicious code to the controller.