Detections
Analytics

Siemens S7-1500 CPU devices Missing Immutable Root of Trust in Hardware (CVE-2022-38773)

medium Tenable OT Security Plugin ID 500727

Synopsis

The remote OT asset is affected by a vulnerability.

Description

Affected devices do not contain an Immutable Root of Trust in Hardware. With this the integrity of the code executed on the device can not be validated during load-time. An attacker with physical access to the device could use this to replace the boot image of the device and execute arbitrary code.

This plugin does not check the S7-1500 order number.
If your order number is one of :
SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0) SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0) SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0) SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0) SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RM03-0AB0) SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RN03-0AB0) or newer (6ESxxxx-xxxx-xxxx), this plugin may fire but the device is not vulnerable/is not known to be vulnerable.
Refer to vendor advisory for more details.
https://cert-portal.siemens.com/productcert/pdf/ssa-482757.pdf

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Siemens identified the following specific workarounds and mitigations users can apply to reduce risk:

- Restrict physical access to affected devices to trusted personnel to avoid hardware tampering, such as placing devices in locked control cabinets.

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security, and follow the recommendations in the product manuals. Siemens has published additional information on industrial security.

Siemens has released the following new hardware versions of the S7-1500 product family, which contain a new secure boot mechanism that resolves the vulnerability:

- SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0)
- SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0)
- SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0)
- SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0)
- SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RM03-0AB0)
- SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RN03-0AB0)

Siemens is working on new hardware versions for additional PLC types to address this vulnerability further.

For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact Siemens ProductCERT.

For more information, see the associated Siemens security advisory SSA-482757 in HTML and CSAF.

See Also

https://cert-portal.siemens.com/productcert/pdf/ssa-482757.pdf

https://www.cisa.gov/news-events/ics-advisories/icsa-23-012-08

Plugin Details

Severity: Medium

ID: 500727

Version: 1.6

Type: remote

Family: Tenable.ot

Published: 1/25/2023

Updated: 3/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-38773

CVSS v3

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:siemens:simatic_drive_controller_cpu_1504d_tf_firmware:-, cpe:/o:siemens:simatic_drive_controller_cpu_1507d_tf_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1510sp-1_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1510sp_f-1_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1511-1_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1511c-1_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1511f-1_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1511t-1_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1511tf-1_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1512c-1_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1512sp-1_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1512sp_f-1_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1513-1_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1513f-1_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1513pro-2_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1513pro_f-2_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1513r-1_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1515-2_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1515f-2_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1515r-2_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1515t-2_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1515tf-2_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1516-3_pn%2fdp_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1516f-3_pn%2fdp_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1516pro-2_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1516pro_f-2_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1516t-3_pn%2fdp_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1516tf-3_pn%2fdp_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1517-3_pn%2fdp_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1517f-3_pn%2fdp_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1517h-3_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1517t-3_pn%2fdp_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1517tf-3_pn%2fdp_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1518-4_pn%2fdp_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1518-4f_pn%2fdp_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1518f-4_pn%2fdp_mfp_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1518hf-4_pn_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1518t-4_pn%2fdp_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_1518tf-4_pn%2fdp_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_s7-1518-4_pn%2fdp_odk_firmware:-, cpe:/o:siemens:simatic_s7-1500_cpu_s7-1518f-4_pn%2fdp_odk_firmware:-, cpe:/o:siemens:siplus_et_200sp_cpu_1510sp-1_pn_firmware:-, cpe:/o:siemens:siplus_et_200sp_cpu_1510sp-1_pn_rail_firmware:-, cpe:/o:siemens:siplus_et_200sp_cpu_1510sp_f-1_pn_firmware:-, cpe:/o:siemens:siplus_et_200sp_cpu_1510sp_f-1_pn_rail_firmware:-, cpe:/o:siemens:siplus_et_200sp_cpu_1512sp-1_pn_firmware:-, cpe:/o:siemens:siplus_et_200sp_cpu_1512sp-1_pn_rail_firmware:-, cpe:/o:siemens:siplus_et_200sp_cpu_1512sp_f-1_pn_firmware:-, cpe:/o:siemens:siplus_et_200sp_cpu_1512sp_f-1_pn_rail_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1511-1_pn_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1511-1_pn_t1_rail_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1511-1_pn_tx_rail_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1511f-1_pn_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1513-1_pn_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1513f-1_pn_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1515f-2_pn_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1515f-2_pn_rail_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1515f-2_pn_t2_rail_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1515r-2_pn_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1515r-2_pn_tx_rail_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1516-3_pn%2fdp_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1516-3_pn%2fdp_rail_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1516-3_pn%2fdp_tx_rail_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1516f-3_pn%2fdp_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1516f-3_pn%2fdp_rail_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1517h-3_pn_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1518-4_pn%2fdp_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1518-4_pn%2fdp_mfp_firmware:-, cpe:/o:siemens:siplus_s7-1500_cpu_1518f-4_pn%2fdp_firmware:-

Required KB Items: Tenable.ot/Siemens

Exploit Ease: No known exploits are available

Patch Publication Date: 1/10/2023

Vulnerability Publication Date: 1/10/2023

Reference Information

CVE: CVE-2022-38773