Update to new versions of the vulnerable PLC and engineering workstation or implement the workarounds [300 words].
What: A critical vulnerability (CVE-2022-38465 ) exists within Siemens SIMATIC S7-1200, S7-1500 programmable logic controllers (PLCs) and TIA Portal that gives attackers a way to extract “heavily guarded, hardcoded, global private cryptographic keys” in the vulnerable products. Threat actors can use the keys to bypass all access level protections in the SIMATIC products and associated TIA Portal to carry out advanced attacks. This includes compromising the products irreparably; conducting man-in-the-middle attacks, uploading, and downloading arbitrarily; and intercepting and decrypting network traffic and passive OMS.
Vulnerability disclosure and response: Cybersecurity vendor Claroty discovered and reported the vulnerability to Siemens, which has released updated versions of the impacted technologies.
Siemens has recommended that organizations with affected PLCs should update the affected products and the corresponding TIA portal. The company has provided workarounds and mitigations for organizations that cannot immediately update. “SIMATIC S7-1200, S7-1500 CPUs and related products protect the built-in global private key in a way that cannot be considered sufficient any longer,” Siemens said. “The key is used for the legacy protection of confidential configuration data and the legacy PG/PC and HMI communication.”
Source: Claroty
Why it matters: SIMATIC S7-1200/S7-1500 PLCs are widely used to automate critical processes across multiple industries. A threat actor with access to the cryptographic key for protecting configuration data and other critical information could use it to “extract confidential configuration data from projects that are protected by that key or to perform attacks against legacy PG/PC and HMI communication,” Siemens said.
Here are the details:
Claroty’s vulnerability disclosure
Siemens remarks on weak key protection vulnerability in SIMATIC S7-1200 and S7-1500 CPU Families