‘Critical’ vulnerability found in Siemens industrial tool, allowing theft of cryptographic keys

Siemens has published patches to address a vulnerability in one of its most popular programmable logic controllers, or PLCs – industrial computers used widely in manufacturing and other industries. 

Researchers at Claroty’s Team 82 disclosed this week that they discovered CVE-2022-38465 – a critical vulnerability with a CVSS score of 9.3. The issue affects the company’s SIMATIC S7-1200 and S7-1500 PLCs and corresponding versions of the TIA Portal, which facilitates communication between engineering stations, PLCs and other machines.

The bug allows attackers to extract “heavily guarded, hardcoded, global private cryptographic keys” embedded within the Siemens products that can be used by attackers “to perform multiple advanced attacks against Siemens SIMATIC devices and the related TIA Portal, while bypassing all four of its access level protections.”

A malicious actor could use this secret information to compromise the entire SIMATIC S7-1200/1500 product line “in an irreparable way,” according to Claroty.

“This is Siemens’ most popular programmable logic controller,” Claroty Director of Security Research Sharon Brizinov told The Record. “It’s used in numerous automation tasks worldwide across many industries.”

Brizinov recently gave a detailed presentation on the vulnerability’s exploitation. 

The researchers noted that the information stolen through these kinds of attacks could allow hackers to develop further exploitation tools that would open the door for other attacks and data exfiltration. 

Siemens published its own advisories about the issue, noting that the system was built almost 10 years ago and the products “protect the built-in global private key in a way that cannot be considered sufficient any longer.” The company explained that the key is used for the protection of confidential configuration data.

Siemens urged customers to update their systems and also outlined several workarounds to lessen exposure to the issue. 

“At the time of the development of the architecture, practical solutions for dynamic key management and key distribution did not exist for industrial control systems. The additional operational effort that key management solutions impose for integrators and customers was not justifiable,” the company said. 

“Because of these restrictions and the residual risk of the security threat modeling for the architecture, Siemens decided to go with an approach based on fixed key material. As both technology and threat landscape evolved significantly in the past years, this decision needs to be revised and adapted.”

Qualys vulnerability signatures manager Saeed Abbasi explained that hardcoded keys “have the power to undermine the security of authentication or encryption processes.” 

“These types of cryptographic keys are intended to remain secret, and can be utilized for data encryption, integrity protection and identity verification,” Abbasi said. 

“Siemens SIMATIC is used across many different industries to monitor and control production processes – it essentially acts as an invisible muscle that holds up everything. TLDR: the attacker could take over an entire operation.”

Other experts, like Theon Technology’s Bryan Cunningham, said the disclosure was a sober reminder that any encryption-based security architecture is only as secure as the management of the keys on which it is based and can become vulnerable over time.