Siemens Industrial Products (Update F)

Monitor5.5ICS-CERT ICSA-20-252-07Sep 8, 2020

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Intel processors in multiple Siemens industrial products are vulnerable to the Crosstalk (INTEL-SA-00320) microarchitecture vulnerability, which allows local code execution to read sensitive data from BIOS, firmware, or protected memory regions. The vulnerability affects SIMATIC industrial PCs (IPC3xx, IPC4xx, IPC5xx, IPC6xx, IPC8xx series), engineering workstations (Field PG M5, M6), process control PCs (IPC3000 SMART), industrial panels (ITP1000), and motion controllers (SIMOTION P320 series). Exploitation requires the attacker to first execute untrusted code on the device; it cannot be exploited remotely. Siemens has released BIOS updates for several product lines but lists many models as having no fix available.

What this means

What could happen

An attacker who runs untrusted code on an affected industrial PC or engineering workstation could read sensitive data from BIOS or system memory due to the Crosstalk microarchitecture vulnerability in Intel processors. This vulnerability cannot be exploited over the network and requires local code execution.

Who's at risk

Manufacturing organizations using Siemens industrial PCs (SIMATIC IPC3xx, IPC4xx, IPC5xx, IPC6xx, IPC8xx series), engineering workstations (SIMATIC Field PG M5 and M6), industrial touch panels (SIMATIC ITP1000), and motion controllers (SIMOTION P320 series) are affected. These devices are commonly used as HMIs, programming stations, and process control computers in manufacturing and utility plants.

How it could be exploited

An attacker must first gain the ability to execute untrusted code locally on the affected device—either through a compromised application, malware installation, or direct access. Once local code execution is achieved, the attacker can exploit the Crosstalk vulnerability to read data from BIOS, firmware, or other protected memory regions across processor cores.

Prerequisites

Local code execution capability on the affected device
Ability to run untrusted software or scripts on the industrial PC
No special credentials or network access required once local execution is achieved

Low complexity local exploitationNo authentication required once local access is gainedAffects many industrial PC models across product linesNo patches available for older or end-of-life modelsSensitive data exposure (BIOS, memory contents)

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (25)

25 pending

ProductAffected VersionsFix Status

SIMATIC Field PG M4All versionsNo fix yet

SIMATIC Field PG M5<BIOS V22.01.08No fix yet

SIMATIC Field PG M6<BIOS V26.01.07No fix yet

SIMATIC IPC347EAll versionsNo fix yet

SIMATIC IPC427D (incl. SIPLUS variants)All versionsNo fix yet

Remediation & Mitigation

0/12

Do now

0/3

HARDENINGImplement defense-in-depth security controls to limit the ability for untrusted code to execute on affected systems—including application whitelisting, code integrity checks, and process containment

HARDENINGRestrict network access to affected industrial PCs and engineering workstations using firewalls, network segmentation, and access control lists; follow Siemens operational guidelines for Industrial Security

HARDENINGRestrict user execution of untrusted applications and scripts through least-privilege access policies and disable unnecessary services on affected devices

Schedule — requires maintenance window

0/9

Patching may require device reboot — plan for process interruption

SIMATIC Field PG M5

HOTFIXUpdate SIMATIC Field PG M5 BIOS to v22.01.08 or later

SIMATIC Field PG M6

HOTFIXUpdate SIMATIC Field PG M6 BIOS to v26.01.07 or later

SIMATIC IPC477E

HOTFIXUpdate SIMATIC IPC477E and IPC477E Pro BIOS to v21.01.14 or later

SIMATIC IPC527G

HOTFIXUpdate SIMATIC IPC527G BIOS to R1.4.0 or later

SIMATIC IPC547G

HOTFIXUpdate SIMATIC IPC547G BIOS to R1.28.0 or later

SIMATIC IPC627E

HOTFIXUpdate SIMATIC IPC627E, IPC647E, IPC677E, and IPC847E BIOS to v25.02.06 or later

SIMATIC ITP1000

HOTFIXUpdate SIMATIC ITP1000 BIOS to v23.01.08 or later

SIMATIC IPC3000 SMART V2

HOTFIXUpdate SIMATIC IPC3000 SMART v2 BIOS to v1.B or later

All products

HOTFIXUpdate SIMATIC IPC427E BIOS to v21.01.14 or later

CVEs (1)

CVE-2020-0543

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close