Researchers have demonstrated that threat actors could obtain global private keys that protect some of Siemens’ industrial devices, and the vendor says it cannot rule out malicious exploitation in the future.
Details were disclosed on Tuesday by industrial cybersecurity firm Claroty, whose researchers have been looking into ways to achieve native code execution on programmable logic controllers (PLCs).
Siemens has also released a separate security bulletin highlighting the vulnerability. According to the company, in 2013, it introduced asymmetric cryptography into the security architecture of its Simatic S7-1200 and S7-1500 CPUs in an effort to protect devices, customer programs, and communications between devices.
However, due to the lack of practical solutions for dynamic key management and key distribution for industrial control systems (ICS), at the time it decided to use a built-in global private key for protection.
Siemens has confirmed the findings of Claroty researchers, admitting that the cryptographic key is not properly protected. An attacker could launch an offline attack against a single PLC and obtain a private key that can then be used to compromise the entire product line for which the key was obtained.
The attacker can then obtain sensitive configuration data or launch man-in-the-middle (MitM) attacks that enable them to read or modify data between the PLC and its connected HMIs and engineering workstations.
Claroty researchers said they obtained the private key by exploiting an arbitrary code execution vulnerability they discovered in 2020 (CVE-2020-15782), which gave them direct memory access. They have shown how an attacker who has the private key could gain full control of a PLC and conduct MitM attacks.
“Siemens is not aware of related cybersecurity incidents but considers the likelihood of malicious actors misusing the global private key as increasing,” Siemens warned.
The industrial giant has made significant changes to address the issue, with a unique password being set for each device and communications now being protected by TLS 1.3.
The company has released firmware updates, but noted that updating the firmware on a device is not sufficient.
“In addition, the hardware configuration in the TIA Portal project (V17 or later) must also be updated to the corresponding CPU version and downloaded to the PLC,” it told customers.
Related: New Vulnerabilities Can Allow Hackers to Remotely Crash Siemens PLCs
Related: New Vulnerabilities Allow Stuxnet-Style Attacks Against Rockwell PLCs
Related: Several Horner PLC Software Vulnerabilities Allow Code Execution via Malicious Font Files