Special Register Buffer Data Sampling (SRBDS) aka Crosstalk in Industrial Products
Monitor5.5SSA-534763Sep 8, 2020
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
SRBDS (Special Register Buffer Data Sampling), also known as Crosstalk, is a hardware vulnerability in modern Intel processors that allows a local attacker to read sensitive data from CPU special registers (such as encryption keys or other confidential values) that were previously used by other processes on the same system. Siemens has released BIOS updates for some affected industrial products (Field PG M5/M6, IPC427E, IPC477E/IPC477E Pro, IPC527G, IPC547G, IPC627E/647E/677E/847E, and ITP1000). Many other Siemens industrial PC and controller models are end-of-life and will not receive fixes. The vulnerability requires local system access to exploit.
What this means
What could happen
An attacker with local access to a Siemens industrial PC or controller could read sensitive data from special CPU registers (such as encryption keys or other confidential values) that were used by other processes on the same system, potentially compromising system security or operational integrity.
Who's at risk
Siemens industrial automation products used in manufacturing environments are affected, including industrial PCs (IPC series), field programming devices (SIMATIC Field PG), motion control systems (SIMOTION), and operator interface terminals (ITP1000). Water utilities and electric utilities using these systems for process control, SCADA, and distributed control systems should assess their inventory.
How it could be exploited
An attacker with a local user account on the affected industrial PC or controller can use the SRBDS/Crosstalk vulnerability to execute code that samples the special register buffer (SRBDS), extracting data left behind by other processes running on the same Intel processor core. This requires the attacker to already have logged-in access to the system (not remote).
Prerequisites
- Local user account on the affected Siemens industrial PC or controller
- Access to execute code on the system
- System must be running an affected Intel processor (Intel Xeon E-series or similar)
Low complexity attackRequires local access (not remotely exploitable)No authentication required beyond local user accountMany products have no fix available (end-of-life)Affects confidentiality of sensitive data on the system
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (25)
25 pending
ProductAffected VersionsFix Status
SIMATIC Field PG M4All versionsNo fix yet
SIMATIC Field PG M5All BIOS versions < V22.01.08No fix yet
SIMATIC Field PG M6All BIOS versions < V26.01.07No fix yet
SIMATIC IPC347EAll versionsNo fix yet
SIMATIC IPC427D (incl. SIPLUS variants)All versionsNo fix yet
Remediation & Mitigation
0/10
Schedule — requires maintenance window
0/8Patching may require device reboot — plan for process interruption
SIMATIC Field PG M5
HOTFIXUpdate SIMATIC Field PG M5 BIOS to version V22.01.08 or later
SIMATIC Field PG M6
HOTFIXUpdate SIMATIC Field PG M6 BIOS to version V26.01.07 or later
SIMATIC IPC477E
HOTFIXUpdate SIMATIC IPC477E, IPC477E Pro BIOS to version V21.01.14 or later
SIMATIC IPC527G
HOTFIXUpdate SIMATIC IPC527G BIOS to version V1.4.0 or later
SIMATIC IPC547G
HOTFIXUpdate SIMATIC IPC547G BIOS to version R1.28.0 or later
SIMATIC IPC627E
HOTFIXUpdate SIMATIC IPC627E, IPC647E, IPC677E, IPC847E BIOS to version V25.02.06 or later
SIMATIC ITP1000
HOTFIXUpdate SIMATIC ITP1000 BIOS to version V23.01.08 or later
All products
HOTFIXUpdate SIMATIC IPC427E BIOS to version V21.01.14 or later
Long-term hardening
0/2SIMATIC IPC3000 SMART V2
HARDENINGFor systems where BIOS updates are not available (Field PG M4, IPC347E, IPC427D, IPC477D, IPC547E, IPC627D, IPC647D, IPC677D, IPC827D, IPC847D, SIMATIC IPC3000 SMART V2, SIMOTION P320-4E/4S), restrict local user access and enforce strong authentication to limit who can log in
All products
HARDENINGDisable unnecessary user accounts and limit login shell access on systems where BIOS updates are unavailable
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a72931e2-9cc1-4a2f-9ff1-8db818d49b92