Weak Key Protection Vulnerability in SIMATIC S7-1200 and S7-1500 CPU Families
Plan Patch9.3SSA-568427Oct 11, 2022
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SIMATIC S7-1200, S7-1500 CPUs, and related products use a built-in global private key to protect confidential configuration data and legacy PG/PC and HMI communication. The key protection mechanism is now considered insufficient. An attacker could extract this private key through an offline attack against a single CPU of the family, then use the key to decrypt configuration data from other CPUs in the same family or to attack legacy PG/PC and HMI communications. Siemens recommends updating affected products to firmware versions that support individual per-device passwords and TLS-protected communication (TIA Portal V17 and later).
What this means
What could happen
An attacker with offline access to a single CPU from an affected family could extract the built-in private key used to protect configuration data and legacy communication. Using this key, they could decrypt confidential project data or impersonate engineering workstations (PG/PC) and HMI systems communicating with any CPU of that family.
Who's at risk
Manufacturing operators running SIMATIC S7-1200 and S7-1500 PLC systems, related ET200 CPUs, Drive Controllers, and their engineering teams using TIA Portal. This affects any site using legacy protected configuration or legacy PG/PC and HMI communication protocols on these CPU families.
How it could be exploited
An attacker obtains a physical CPU unit or firmware image from an affected product line (S7-1200 or S7-1500 family). Through offline cryptanalysis, they extract the family's built-in private key. Using this key, they decrypt configuration data from any CPU using the same family key, or intercept and forge PG/PC and HMI communications to inject commands or extract process data.
Prerequisites
- Physical or logical access to a CPU firmware image or device from the affected family
- Offline cryptanalysis capability
- Network connectivity to the CPU for post-exploitation (if performing live attacks against PG/PC or HMI communication)
Weak key protection mechanismFamily-wide shared private key (one key compromise affects entire product line)No authentication required for key extractionLow complexity exploit (offline cryptanalysis)Affects configuration data confidentiality and legacy communication integritySIMATIC ET 200SP Open Controller CPU 1515SP PC has no patch available
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (7)
6 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC S7-1200 CPU family (incl. SIPLUS variants)< V4.5.04.5.0
SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants)< V2.9.22.9.2
SIMATIC S7-1500 Software Controller< V21.921.9
SIMATIC S7-PLCSIM Advanced< V4.04.0
SIMATIC Drive Controller family< V2.9.22.9.2
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)< V21.921.9
SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants)All versionsNo fix (EOL)
Remediation & Mitigation
0/9
Schedule — requires maintenance window
0/8Patching may require device reboot — plan for process interruption
SIMATIC S7-1500 Software Controller
HOTFIXUpdate SIMATIC S7-1500 Software Controller to version 21.9 or later
SIMATIC S7-PLCSIM Advanced
HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to version 4.0 or later
SIMATIC Drive Controller family
HOTFIXUpdate SIMATIC Drive Controller family to version 2.9.2 or later
All products
HOTFIXUpdate SIMATIC S7-1200 CPU firmware to version 4.5.0 or later
HOTFIXUpdate SIMATIC S7-1500 CPU firmware to version 2.9.2 or later
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to version 21.9 or later
HOTFIXMigrate TIA Portal project to latest version (V17 or later) and redeploy to updated CPUs
HARDENINGConfigure CPU setting 'Only allow secure PG/PC and HMI communication' within the migrated project
Mitigations - no patch available
0/1SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to restrict access to engineering workstations and HMI systems; isolate CPU management traffic from general IT network
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0e3d4b4d-940e-41fb-90d9-4ae5c20e23b0