Team82, the research arm of New York-based industrial cybersecurity firm Claroty, revealed on October 11, 2022, that they managed to extract heavily guarded, hardcoded cryptographic keys embedded within SIMATIC S7-1200/1500s, a range of Siemens programmable logic computers (PLCs), and TIA Portal, Siemens’ automated engineering software platform.
They deployed a new remote code execution (RCE) technique targeting the central processing units (CPUs) of SIMATIC S7-1200 and S7-1500 PLCs, for which they used a vulnerability uncovered in previous research on Siemens PLCs (CVE-2020-15782) that enabled them to bypass native memory protections on the PLC and gain read/write privileges.
They were able not only to extract the internal, heavily guarded private key used across the Siemens product lines but also to implement the full protocol stack, encrypt and decrypt protected communications and configurations.
“An attacker can use these keys to perform multiple advanced attacks against Siemens SIMATIC devices and the related TIA Portal, while bypassing all four of its access-level protections. [They] could [also] use this secret information to compromise the entire SIMATIC S7-1200/1500 product line in an irreparable way,” Team82 warned in the research paper.
CVE-2022-38465 has been assigned to the new vulnerability found by Team82, and given a CVSS v3 score of 9.3.
Team82 disclosed all technical information to Siemens, which released new versions of the affected PLCs and engineering workstation that address this vulnerability, urging users to move to current versions.
In its advisory, Siemens also provided a series of key protection updates, workarounds and mitigations.
This disclosure has led to the introduction of a new TLS management system in TIA Portal v17, ensuring that configuration data and communications between Siemens PLCs and engineering workstations is encrypted and confidential.