Siemens Simatic programmable logic controller (PLC) has a vulnerability that allows attackers to use its hard-coded, global cryptographic keys to obtain control of devices.
"An attacker may use these keys to carry out multiple advanced attacks against Siemens SIMATIC devices and the related TIA portal while bypassing all four of its access level protections.," industrial cybersecurity company Claroty said in a new report.
"The S7-1200/1500 product line could be compromised in irreparable terms by malicious actors with this secret information."
The critical vulnerability, assigned the identifier CVE-2022-38465, has a score of 9.3 on the CVSS scoring scale and was addressed by Siemens as part of security updates issued on October 11, 2022..
Below is a list of impacted products and versions -
- SIMATIC Drive Controller family (all versions before 2.9.2)
- SIMATIC ET 200SP Open Controller CPU 1515SP PC2, including SIPLUS variants (all versions before 21.9)
- SIMATIC ET 200SP Open Controller CPU 1515SP PC, including SIPLUS variants (all versions) SIMATIC S7-1200 CPU family, including SIPLUS variants (all versions before 4.5.0)
- SIMATIC S7-1500 CPU family, including related ET200 CPUs and SIPLUS variants (all versions before V2.9.2)
- SIMATIC S7-1500 Software Controller (all versions before 21.9), and
- SIMATIC S7-PLCSIM Advanced (all versions before 4.0)
Using a previously disclosed flaw in Siemens PLCs (CVE-2020-15782), Claroty was able to gain read and write privileges to the controller, allowing the recovery of the private key.
This would not only allow an attacker to override native code and extract a key, but also allow Siemens to control every PLC in an affected Siemens product line.
CVE-2022-38465 mirrors another severe shortcoming that was identified in Rockwell Automation PLCs (CVE-2021-22681) last year and which could have enabled an adversary to remotely connect to the controller, and upload malicious code, download information from the PLC, or install new firmware.
"The vulnerability lies in the fact that Studio 5000 Logix Designer software may reveal a secret cryptographic key," Claroty noted in February 2021.
As workarounds and mitigations, Siemens is recommending customers to use legacy PG/PC and HMI communications only in trusted network environments and secure access to TIA Portal and CPU to prevent unauthorized connections.
The German industrial manufacturing company has also taken the step of encrypting the communications between engineering stations, PLCs and HMI panels with Transport Layer Security (TLS) in TIA Portal version 17, while warning that the "likelihood of malicious actors misusing the global private key as increasing."
The findings are the latest in a series of severe flaws that have been discovered in PLCs. Earlier this June, Claroty detailed over a dozen issues in Siemens SINEC network management system (NMS) that could be abused to gain remote code execution capabilities.
Then in April 2022, the company unwrapped two vulnerabilities in Rockwell Automation PLCs (CVE-2022-1159 and CVE-2022-1161) that could be exploited to modify user programs and download malicious code to the controller.