Security
Headlines
HeadlinesLatestCVEs

Headline

Over 100 Siemens PLC Models Found Vulnerable to Firmware Takeover

Security researchers have disclosed multiple architectural vulnerabilities in Siemens SIMATIC and SIPLUS S7-1500 programmable logic controllers (PLCs) that could be exploited by a malicious actor to stealthily install firmware on affected devices and take control of them. Discovered by Red Balloon Security, the issues are tracked as CVE-2022-38773 (CVSS score: 4.6), with the low severity

The Hacker News
#vulnerability#rce#oauth#auth#The Hacker News

Firmware and Hardware Security

Security researchers have disclosed multiple architectural vulnerabilities in Siemens SIMATIC and SIPLUS S7-1500 programmable logic controllers (PLCs) that could be exploited by a malicious actor to stealthily install firmware on affected devices and take control of them.

Discovered by Red Balloon Security, the issues are tracked as CVE-2022-38773 (CVSS score: 4.6), with the low severity stemming from the prerequisite that exploitation requires physical tampering of the device.

The flaws “could allow attackers to bypass all protected boot features, resulting in persistent arbitrary modification of operating code and data,” the company said. More than 100 models are susceptible.

Put differently, the weaknesses are the result of a lack of asymmetric signature verifications for firmware at bootup, effectively permitting the attacker to load tainted bootloader and firmware while undermining integrity protections.

A more severe consequence of loading such modified firmware is that it could give the threat actor the ability to persistently execute malicious code and gain total control of the devices without raising any red flags.

“This discovery has potentially significant implications for industrial environments as these unpatchable hardware root-of-trust vulnerabilities could result in persistent arbitrary modification of S7-1500 operating code and data,” the researchers said.

Siemens, in an advisory released this week, said it has no patches planned but urged customers to limit physical access to the affected PLCs to trusted personnel to avoid hardware tampering.

The lack of a firmware update is attributed to the fact that the cryptographic scheme that undergirds the protected boot features is baked into a dedicated physical secure element chip (called the ATECC108 CryptoAuthentication coprocessor), which decrypts the firmware in memory during startup.

An attacker with physical access to the device could therefore leverage the issues identified in the cryptographic implementation to decrypt the firmware, make unauthorized changes, and flash the trojanized firmware onto the PLC either physically or by exploiting a known remote code execution flaw.

“The fundamental vulnerabilities — improper hardware implementations of the [Root of Trust] using dedicated cryptographic-processor — are unpatchable and cannot be fixed by a firmware update since the hardware is physically unmodifiable,” the researchers explained.

However, the German automation giant said it’s in the process of releasing new hardware versions for the S7-1500 product family that come with a revamped “secure boot mechanism” that resolves the vulnerability.

The findings come as industrial security firm Claroty last year disclosed a critical flaw impacting Siemens SIMATIC devices that could be exploited to retrieve the hard-coded, global private cryptographic keys and completely compromise the product.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

CVE-2022-38773

Affected devices do not contain an Immutable Root of Trust in Hardware. With this the integrity of the code executed on the device can not be validated during load-time. An attacker with physical access to the device could use this to replace the boot image of the device and execute arbitrary code.