Critical exploit threatens Siemens’ users

Target Industry

No specific target industry has been identified.

Overview

Severity level: Critical – base score 9.3 out of 10; exploitation may result in complete compromise of entire SIMATIC S7-1200/1500 product line.

Vulnerability has been assigned the identifier: CVE-2022-38465.

Recently discovered by Team 82, this vulnerability can be exploited by chaining together with the previously known CVE-2020-15782, resulting in recovery of the target system’s private key. Once the targeted private key has been acquired, CVE-2022-38465 can be exploited by extracting hardcoded private keys from Siemens S6 Programmable Logic Controllers (PLCs).

Impact

Attackers could use stolen private keys to extract confidential configuration data from projects that are considered protected or to perform attacks against legacy systems, programming devices, and Human Machine Interface (HMI) communication.

Completed exploitation may result in the attacker’s full control of targeted Siemens PLCs.

Vulnerability Detection

Siemens PLCs below the patching levels listed below are vulnerable to this exploit. To counter the threat of compromise it is advised to follow the mitigation advice found later in this report.

Affected Products

Vulnerability directly affects the Siemens Simatic PLC. As a result, the following products and versions have been affected:

• SIMATIC Drive Controller family – all versions before 2.9.2
• SIMATIC ET 200SP Open Controller CPU 1515SP PC2, including SIPLUS variants – all versions before 21.9
• SIMATIC ET 200SP Open Controller CPU 1515SP PC, including SIPLUS variants – all versions
• SIMATIC S7-1200 CPU family, including SIPLUS variants – all versions before 4.5.0
• SIMATIC S7-1500 CPU family, including related ET200 CPUs and SIPLUS variants – all versions before V2.9.2
• SIMATIC S7-1500 Software Controller – all versions before 21.9
• SIMATIC S7-PLCSIM Advanced – all versions before 4.0

Containment, Mitigations & Remediations

All affected products stated above with the exception of SIMATIC ET 200SP Open Controller CPU 1515SP PC has an update available to patch the vulnerability. Customers using SIMATIC ET 200SP Open Controller CPU 1515SP PC can follow this advice provided by the Siemens Advisory team:

• Customers are advised to only use legacy PG/PC and HMI communication in trusted network environments
• Protect access to the TIA Portal project and CPU (including related memory cards) from unauthorized actors

Indicators of Compromise

The following IPs are associated with the first stage of attack (CVE-2020-15782):

• 154.94.7.136
• 36.112.86.3
• 36.48.28.12
• 37.19.221.172
• 80.251.218.235

No IOCs for CVE-2022-38465 have been discovered as no active exploitation has been reported.

Threat Landscape

The chaining of vulnerabilities is a sophisticated method of attack, and it’s likely only highly experienced threat actors, or those with nation-state backing will have the knowledge and resources to achieve a successful compromise.

Due to the complexity, any attack against an organisation is likely to be premeditated and targeted by an advanced persistent threat (APT) whose motivations match the victim company.

Threat Group

PLCs are often found operating within Critical National Infrastructure (CNI), therefore there is a realistic possibility that Russian state-sponsored threat actors will be invested in this vulnerability due to the historic motivations behind Russian cyber-offensive activities.

Mitre Methodologies

Not enough information regarding CVE-2022-38465 is available to map to the MITRE ATT&CK framework accurately.

Further Information

Siemens Advisory
Team 82 – Blog Post
Team 82 – CVE-2022-38465