Many versions of the Siemens Simatic PLCs and the portal that communicates with the controllers contain hard coded cryptographic keys that an attacker can extract by exploiting a separate vulnerability and use to bypass the controllers’ other security protections and take complete control of the devices.
The weaknesses (CVE-2022-38465) affect the CPUs in the Simatic S7-1200 and S7-1500 PLCs, as well as the TIA Portal, which operators use to communicate with the controllers. Siemens has released updates to fix the vulnerabilities and has overhauled the cryptographic scheme in the firmware to use dynamic, rather than static, TLS encryption keys. The attack path for these vulnerabilities is complex and an attacker would need a deep knowledge of the way the Siemens portal and PLCs cooperate in order to be successful. But the potential effects of a successful attack could be quite serious.
“This is not trivial to exploit. You need an understanding of PLC architectures and security, and a significant investment to understand how the encryption schemes work, how to extract the key and other secret information. However, once an attacker has the private key and related cryptographic knowledge, they could create a malicious client, replace the original engineering workstation program—TIA Portal in this case—and use it to execute multiple attacks such as (a malicious) upload/download of program logic, perform man-in-the-middle attacks, and more,” said Sharon Brizinov, director of security research at Claroty, the security firm that discovered the flaws and developed the attack.
The affected PLCs are used in a wide range of industrial and manufacturing settings, and the researchers said that while the vulnerabilities were difficult to find and exploit, the consequences of an attacker doing so may be significant. For example, an attacker who has knowledge of the way the Simatic PLCs work and how the firmware is built could execute remote code, extract the private key, and even implement a new, malicious protocol stack.
"Executing the overwritten function gave us the full private key of the PLC."
“PLCs are deterministic controllers, and outputs are supposed to be always the same, and on time. Any programmatic disruption to this can put physical safety at risk, and also disrupt whatever automation process the PLC oversees. For example, in a water treatment facility, a valve controlling chemicals is supposed to open within a certain number of seconds, and any deviation could affect drinking water safety,” Brizinov said.
Claroty’s research team began by reverse engineering the firmware for a S7-1200 PLC and discovered that the private key was not contained in the firmware, so they needed to gain access to the memory of the PLC itself. After some more work, they discovered a remote code execution flaw (CVE-2022-15782) in the PLCs, which enabled them to get read/write access to the controller.
“Using the DA read permission we obtained, we were able to extract the entire encrypted PLC firmware (SIMATIC S7-1500) and map its functions. During the mapping process we found a function that read the private key on the PLC. Once we had the function address, we rewrote the functionality of specific MC7+ opcodes with our shell code, forcing them to call the native function that reads the private key. We then copied the key to a known memory address and read it from there. Executing the overwritten function gave us the full private key of the PLC,” the researchers said in a blog post.
That private key was the same across the entire Siemens S7 product line. The researchers were then able to use their same methodology to extract the configuration key from the controller’s CPU, which gave them the ability to implement their own protocol stack, encrypt and decrypt communications, and configurations.
“Siemens recommends to update both the affected products as well as the corresponding TIA Portal project to the latest versions. TIA Portal V17 and related CPU firmware versions introduced protection of confidential configuration data based on individual passwords per device and TLS-protected PG/PC and HMI communication,” Siemens said in its advisory.