December 27, 2024
Critical Bug in Siemens SIMATIC PLCs Could Let Attackers Steal Cryptographic Keys
A vulnerability in Siemens Simatic programmable logic controller (PLC) can be exploited to retrieve the hard-coded, global private cryptographic keys and seize control of the devices. "An attacker can use these keys to perform multiple advanced attacks against Siemens SIMATIC devices and the related TIA Portal, while bypassing all four of its access level protections," industrial cybersecurity

A vulnerability in Siemens Simatic programmable logic controller (PLC) can be exploited to retrieve the hard-coded, global private cryptographic keys and seize control of the devices.

“An attacker can use these keys to perform multiple advanced attacks against Siemens SIMATIC devices and the related TIA Portal, while bypassing all four of its access level protections,” industrial cybersecurity company Claroty said in a new report.

“A malicious actor could use this secret information to compromise the entire SIMATIC S7-1200/1500 product line in an irreparable way.”

The critical vulnerability, assigned the identifier CVE-2022-38465, is rated 9.3 on the CVSS scoring scale and has been addressed by Siemens as part of security updates issued on October 11, 2022.

The list of impacted products and versions is below –

  • SIMATIC Drive Controller family (all versions before 2.9.2)
  • SIMATIC ET 200SP Open Controller CPU 1515SP PC2, including SIPLUS variants (all versions before 21.9)
  • SIMATIC ET 200SP Open Controller CPU 1515SP PC, including SIPLUS variants (all versions)
  • SIMATIC S7-1200 CPU family, including SIPLUS variants (all versions before 4.5.0)
  • SIMATIC S7-1500 CPU family, including related ET200 CPUs and SIPLUS variants (all versions before V2.9.2)
  • SIMATIC S7-1500 Software Controller (all versions before 21.9), and
  • SIMATIC S7-PLCSIM Advanced (all versions before 4.0)

Claroty said it was able to get read and write privileges to the controller by exploiting a previously disclosed flaw in Siemens PLCs (CVE-2020-15782), allowing for the recovery of the private key.

Doing so would not only permit an attacker to override native code and extract the key, but also obtain full control over every PLC per affected Siemens product line.

CVE-2022-38465 mirrors another severe shortcoming that was identified in Rockwell Automation PLCs (CVE-2021-22681) last year and which could have enabled an adversary to remotely connect to the controller, and upload malicious code, download information from the PLC, or install new firmware.

“The vulnerability lies in the fact that Studio 5000 Logix Designer software may allow a secret cryptographic key to be discovered,” Claroty noted in February 2021.

As workarounds and mitigations, Siemens is recommending customers to use legacy PG/PC and HMI communications only in trusted network environments and secure access to TIA Portal and CPU to prevent unauthorized connections.

The German industrial manufacturing company has also taken the step of encrypting the communications between engineering stations, PLCs and HMI panels with Transport Layer Security (TLS) in TIA Portal version 17, while warning that the “likelihood of malicious actors misusing the global private key as increasing.”

The findings are the latest in a series of severe flaws that have been discovered in PLCs. Earlier this June, Claroty detailed over a dozen issues in Siemens SINEC network management system (NMS) that could be abused to gain remote code execution capabilities.

Then in April 2022, the company unwrapped two vulnerabilities in Rockwell Automation PLCs (CVE-2022-1159 and CVE-2022-1161) that could be exploited to modify user programs and download malicious code to the controller.