Industrial Cybersecurity company Claroty has uncovered a critical vulnerability in Siemens SIMATIC S7-1200/1500 PLC and TIA Portal product lines that could allow an attacker to retrieve the hard-coded, global private cryptographic keys. These can in turn be used to carry out multiple advanced attacks while bypassing all four of its access level protections. Ultimately, this could allow them to seize control of the devices and irreparably compromise the entire SIMATIC S7-1200/1500 product line.
The Weak Key Protection vulnerability tracked as CVE-2022-38465 received a critical CVSS base score of 9.3. The way the built-in global private key in SIMATIC S7-1200, S7-1500 CPUs, and related products are protected is no longer considered sufficient. Because of this flaw attackers could discover the private key of a CPU product family by mounting an offline attack against a single CPU of that family. In the case of the team at Claroty, they first gained read and write privileges on the PLC to remotely execute code by exploiting another vulnerability (CVE-2020-15782) that had been uncovered in previous research.
According to Siemens' security advisory, once they have that key, malicious actors could then extract confidential configuration data from any that are protected by that same key or perform attacks against legacy PG/PC and HMI communication and gain full control over every PLC in the affected Siemens product line. Siemens has also released a security bulletin providing further details and remarks regarding the vulnerability.
Update Vulnerable CPU Firmware
Siemens has released updates for its affected CPU firmware versions to remediate CVE-2022-38465. Additionally, they also recommend that users Use legacy (i.e., not TLS-based) PG/PC and HMI communication only in trusted network environments and to Protect access to the TIA Portal project and CPU (including related memory cards) from unauthorized actors. You can find further information regarding the updates and product-specific remediations in Siemens' security advisory. You can find a list of affected products below.
|SIMATIC Drive Controller family||All versions before V2.9.2|
|SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)||All versions before V21.9|
|SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants)||All versions|
|SIMATIC S7-1200 CPU family (incl. SIPLUS variants)||All versions before V4.5.0|
|SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants)||All versions before V2.9.2|
|SIMATIC S7-1500 Software Controller||All versions before V21.9|
|SIMATIC S7-PLCSIM Advanced||All versions before V4.0|
Discover Vulnerable Siemens PLCs
Thanks to the new OT scanner, Lansweeper can now provide you with complete and accurate OT asset inventory data. This means our team was able to create a report, based on the information provided by Siemens, to find Siemens' PLCs in the SIMATIC S7-1200/1500 product line in your environment. This way you have an actionable list of at-risk devices. You can find the report "Siemens SIMATIC S7-1200 & S7-1500 series vulnerability" in Lansweeper Cloud in the Reports tab under "Security -> Vulnerabilities".
Ready to learn more about Lansweeper OT?
How to scan OT Devices