Siemens Intel Active Management Technology of SIMATIC IPCs

MonitorCVSS 6.7ICS-CERT ICSA-19-043-05Feb 12, 2019

Siemens

Attack path

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Siemens SIMATIC IPCs and FieldPG M5 devices contain Intel Active Management Technology (AMT) vulnerabilities that can allow a local attacker with code execution to escalate privileges and gain firmware-level control of the system. The vulnerabilities are tracked under Intel security advisories related to AMT access control issues. An attacker exploiting these flaws could potentially bypass operating system security, modify system configuration, or persist across reboots. The vulnerabilities affect all versions below the patched BIOS versions listed for each product model.

What this means

What could happen

An attacker with local access to a SIMATIC IPC or FieldPG M5 could exploit Intel AMT vulnerabilities to gain elevated privileges and run arbitrary code, potentially allowing them to modify process parameters, halt operations, or persist access to critical plant equipment.

Who's at risk

Water utilities and municipal electric utilities operating Siemens SIMATIC industrial PCs and field panel computers (FieldPG M5) should care about this vulnerability. Affected equipment includes edge control devices (IPC427E, IPC477E, IPC547E/G, IPC627D-847D models) and operator interface terminals (ITP1000) that often run process supervisory logic, data logging, and operator interfaces. Any facility using these IPCs for SCADA, process automation, or real-time control is potentially affected.

How it could be exploited

An attacker must first gain local code execution on the affected device (e.g., through malicious software, USB, or compromise of engineering workstations). Once running code locally, the attacker can exploit Intel Active Management Technology (AMT) vulnerabilities to escalate privileges and gain firmware-level control independent of the operating system.

Prerequisites

Local code execution capability on the device (attacker must be able to run malicious software or code on the system)
No network access required (vulnerability is local to the device)
Higher privileges already present or obtainable on the system

Affects firmware (hard to detect and remediate)No authentication required for local exploitationLow attack complexity (requires only local code execution)Impacts Siemens industrial control equipment widely deployed in utilitiesMany versions lack patches (several product lines marked no fix available)

Exploitability

Some exploitation risk — EPSS score 1.5%

Affected products (11)

11 with fix

ProductAffected VersionsFix Status

SIMATIC FieldPG M5: All<V22.01.06v22.01.06

SIMATIC IPC477E: All<V21.01.09V21.01.09

SIMATIC IPC547E: All<R1.30.0R1.30.0

SIMATIC IPC547G: All<R1.23.0R1.23.0

SIMATIC IPC627D: All<V19.02.11V19.02.11

SIMATIC IPC647D: All<V19.01.14V19.01.14

SIMATIC IPC677D: All<V19.02.11V19.02.11

SIMATIC IPC847D: All<V19.01.14V19.01.14

Remediation & Mitigation

0/10

Do now

0/3

HARDENINGRestrict physical and network access to IPCs and FieldPG devices; keep them behind firewalls and not directly Internet-accessible

HARDENINGAssess whether untrusted code can be executed on these devices; implement controls to prevent unauthorized software execution (e.g., application whitelisting, USB port disabling, code signing enforcement)

HARDENINGSecure engineering workstations and remote access paths to prevent compromise that could lead to local code execution on IPCs

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade SIMATIC FieldPG M5 to v22.01.06 or later

HOTFIXUpgrade SIMATIC IPC427E and IPC477E to V21.01.09 or later

HOTFIXUpgrade SIMATIC IPC547E to R1.30.0 or later

HOTFIXUpgrade SIMATIC IPC547G to R1.23.0 or later

HOTFIXUpgrade SIMATIC IPC627D, IPC677D, and IPC827D to V19.02.11 or later

HOTFIXUpgrade SIMATIC IPC647D and IPC847D to V19.01.14 or later

HOTFIXUpgrade SIMATIC ITP1000 to V23.01.04 or later

CVEs (3)

CVE-2018-3616 CVE-2018-3657 CVE-2018-3658

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6ff05485-68ee-4ca3-b477-2d827300c360

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.