Siemens Industrial Products Intel CPUs (Update F)

Monitor7.5ICS-CERT ICSA-21-222-05Aug 10, 2021

Attack VectorLocal

Auth RequiredHigh

ComplexityHigh

User InteractionNone needed

Summary

Siemens industrial products based on Intel CPUs are affected by multiple Intel vulnerabilities published in June 2021 (Intel-SA-00459, 00463, 00464, 00465) involving Intel CSME, SPS, LMS, processor firmware, and BIOS. These affect SIMATIC industrial PCs (IPC127E, IPC347G, IPC427E, IPC477E, IPC627E, IPC647E, IPC677E, IPC847E), mobile programming terminals (Field PG M5/M6, ITP1000), distributed I/O controllers (ET 200SP Open Controller CPU 1515SP PC2), drive controllers, and CNC controllers (SINUMERIK 828D, MC MCU 1720, ONE/840D sl). Exploitation requires local/physical access and high privilege level. Siemens has released BIOS updates for some products but several products (S7-1500 CPU 1518-4 PN/DP MFP, CPU 1518F-4 PN/DP, Drive Controller CPU 1504D TF, CPU 1507D TF, IPC547G, and Field PG M5) are marked as having no fix available.

What this means

What could happen

An attacker with local access to an affected Siemens industrial computer or controller could exploit Intel CPU vulnerabilities to read sensitive data or potentially modify system firmware, affecting process integrity on manufacturing PLCs and CNCs.

Who's at risk

Manufacturing plants using Siemens industrial PCs and controllers for automation, including SIMATIC S7-1500 CPUs, SIMATIC Field PG mobile programming devices, SIMATIC IPC industrial PCs, SIMATIC ET 200SP controllers, and SINUMERIK CNC machine control units. End-of-life products (notably S7-1500 CPU 1518-4 PN/DP, CPU 1518F-4 PN/DP, Drive Controller CPUs 1504D and 1507D, and IPC547G) have no patches available.

How it could be exploited

An attacker with physical or local network access to the industrial PC or controller (e.g., via compromised engineering workstation or direct LAN access) can exploit Intel CSME, SPS, LMS, processor, or BIOS vulnerabilities to access memory, read firmware, or execute code with high privileges.

Prerequisites

Local or physical access to the affected Siemens industrial computer or controller
High privilege level on the target system (root/administrator)
Knowledge of the specific Intel vulnerability being targeted

Local exploitation only (not remotely exploitable)Requires high privilege levelNo publicly known exploitsMultiple products have no fix available (EOL)Affects integrity of process control and firmware

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (25)

25 pending

ProductAffected VersionsFix Status

SIMATIC Field PG M6<V26.01.08No fix yet

SIMATIC IPC3000 SMART V3<V01.04.00No fix yet

SIMATIC IPC347G<V01.04.00No fix yet

SIMATIC IPC427E<V21.01.16No fix yet

SIMATIC IPC477E<V21.01.16No fix yet

Remediation & Mitigation

0/11

Do now

0/2

HARDENINGImplement network access controls and firewalls to restrict access to industrial PCs and controllers to authorized engineering workstations and maintenance systems only

HARDENINGEnforce least-privilege user accounts on all affected devices; restrict administrative access to authorized personnel only

Schedule — requires maintenance window

0/8

Patching may require device reboot — plan for process interruption

SIMATIC IPC627E

HOTFIXUpdate BIOS to v25.02.10 or later on SIMATIC IPC627E, IPC647E, IPC677E, and IPC847E

SIMATIC IPC427E

HOTFIXUpdate BIOS to v21.01.16 or later on SIMATIC IPC427E, IPC477E, and IPC477E Pro

SIMATIC ITP1000

HOTFIXUpdate BIOS to v23.01.10 or later on SIMATIC ITP1000

SIMATIC Field PG M6

HOTFIXUpdate BIOS to v21.01.07 or later on SIMATIC Field PG M6

SIMATIC IPC347G

HOTFIXUpdate BIOS to v01.04.00 or later on SIMATIC IPC347G and IPC3000 SMART V3

SIMATIC IPC127E

HOTFIXUpdate BIOS to v21.01.07 or later on SIMATIC IPC127E

All products

HOTFIXUpdate BIOS to v0209_0105 or later on SIMATIC ET 200SP Open Controller CPU 1515SP PC2

HOTFIXUpdate BIOS on SINUMERIK controllers (828D HW PPU.4 to v08.00.00.00, MC MCU 1720 to v05.00.00.00, ONE/840D sl HT 10 to v08.00.00.00, ONE PPU 1740 to v06.00.00.00) via Siemens account manager

Long-term hardening

0/1

HARDENINGLimit physical access to affected industrial computers and controllers to authorized personnel

CVEs (12)

CVE-2020-8670 CVE-2020-8703 CVE-2020-8704 CVE-2020-12357 CVE-2020-12358 CVE-2020-12360 CVE-2020-24486 CVE-2020-24506 CVE-2020-24507 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close