Researchers at firmware security company Red Balloon Security have discovered a potentially serious vulnerability affecting many of Siemens’ programmable logic controllers (PLCs).
Exploitation of the vulnerability, tracked as CVE-2022-38773, could allow an attacker to bypass protected boot features and persistently modify the controller’s operating code and data. The cause, according to Red Balloon Security, is a series of architectural issues affecting Siemens Simatic and Siplus S7-1500 CPUs.
“The Siemens custom System-on-Chip (SoC) does not establish an indestructible Root of Trust (RoT) in the early boot process. This includes lack of asymmetric signature verifications for all stages of the bootloader and firmware before execution,” Red Balloon explained in a blog post on Tuesday.
“Failure to establish Root of Trust on the device allows attackers to load custom-modified bootloader and firmware. These modifications could allow attackers to execute and bypass tamper-proofing and integrity-checking features on the device,” the security firm added.
According to Red Balloon, an attacker can decrypt the firmware of the affected PLCs and generate their own malicious firmware that can be made bootable on more than 100 impacted device models.
Exploitation of the vulnerability requires physical access to the targeted PLC, but the researchers pointed out that a hacker may be able to exploit a different remote code execution flaw in order to deploy the malicious firmware onto the device.
Typically, hacking a PLC could allow an attacker — depending on what the controller is used for — to cause significant damage or disruption within the targeted organization.
Siemens informed customers about the vulnerability, which has a ‘medium severity’ rating based on its CVSS score, on Tuesday, when it released its first round of Patch Tuesday advisories for 2023.
“As exploiting this vulnerability requires physical tampering with the product, Siemens recommends assessing the risk of physical access to the device in the target deployment and to implement measures to make sure that only trusted personnel have access to the physical hardware,” the company said.
The vulnerability cannot be fixed with a firmware update and the industrial giant’s advisory informed customers that “currently no fix is planned”, but it clarified that it has already released new hardware versions that fix the vulnerability for some of the impacted CPUs and it’s working on new hardware versions for the remaining products.