Siemens recommends users upgrade to the latest version of its Intel Active Management Technology (AMT) of SIMATIC IPCs to mitigate multiple vulnerabilities, according to a report from NCCIC.
The vulnerabilities are cryptographic issues, improper restriction of operations within the bounds of a memory buffer and resource management errors.
Successful exploitation of these remotely exploitable vulnerabilities, which Siemens self-reported, may allow arbitrary code execution, a partial denial-of-service condition, or information disclosure.
The following products suffer from the issues:
• SIMATIC FieldPG M5: All versions prior to v22.01.06
• SIMATIC IPC427E: All versions prior to v21.01.09
• SIMATIC IPC477E: All versions prior to v21.01.09
• SIMATIC IPC547E: All versions prior to R1.30.0
• SIMATIC IPC547G: All versions prior to R1.23.0
• SIMATIC IPC627D: All versions prior to v19.02.11
• SIMATIC IPC647D: All versions prior to v19.01.14
• SIMATIC IPC677D: All versions prior to v19.02.11
• SIMATIC IPC827D: All versions prior to v19.02.11
• SIMATIC IPC847D: All versions prior to v19.01.14
• SIMATIC ITP1000: All versions prior to v23.01.04
In one vulnerability, a Bleichenbacher-style side channel vulnerability in TLS implementation in Intel Active Management Technology before v12.0.5 may allow an unauthenticated user to obtain the TLS session key via the network.
CVE-2018-3616 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.9.
In addition, multiple buffer overflows in Intel AMT in Intel CSME firmware versions before 12.0.5 may allow a privileged user to execute arbitrary code with Intel AMT execution privilege via local access.
CVE-2018-3657 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.7.
Also, multiple memory leaks in Intel AMT in Intel CSME firmware versions before 12.0.5 may allow an unauthenticated user with Intel AMT provisioned to cause a partial denial-of-service condition via network access.
CVE-2018-3658 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
The products see use in the chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems sectors. They also see action on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Siemens recommends users upgrade to the latest version.
The vulnerabilities are resolved in the following versions for each product listed:
SIMATIC FieldPG M5
Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk: As a prerequisite for an attack, an attacker must be able to run malicious code on affected systems. Therefore, Siemens recommends determining if it is possible that untrusted code can be run on these systems, or if existing measures implemented by the operator reduce the likelihood of untrusted code being run.
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security, and following the recommendations in the product manuals.
Click here for additional information on Industrial Security by Siemens.
For additional information see Siemens’ security advisory SSA-377318.
Click here for additional information regarding the Intel Active Management Technology (AMT).