Information Disclosure Vulnerability in Intel-CPUs (CVE-2022-40982) Impacting SIMATIC IPCs

Monitor6.5SSA-981975Sep 12, 2023

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Several Intel CPU-based SIMATIC industrial automation products are affected by CVE-2022-40982 (Gather Data Sampling / Downfall), an information exposure vulnerability that could allow an authenticated local user to read other users' data on the same system. Affected products include SIMATIC IPCs (BX-39A, PX-39A, PX-39A PRO, RW-543A, IPC1047/1047E, IPC627E, IPC647E, IPC677E, IPC847E) and Field PG M6. The vulnerability stems from a CPU-level design issue documented in Intel Security Advisory SA-00828. Most products have patches available; SIMATIC IPC1047 (all versions) has no fix planned.

What this means

What could happen

An attacker with local access to the workstation or IPC could read data from other users or processes on the same system, potentially exposing sensitive engineering logic, credentials, or process data. This is a local information disclosure vulnerability, not remote code execution.

Who's at risk

SIMATIC automation controllers and engineering workstations running on Intel CPUs, including the IPC BX-39A, PX-39A, RW-543A, IPC1047/1047E series, IPC627E/647E/677E/847E series, and Field PG M6. This affects manufacturers and utilities using Siemens SCADA/automation systems for process monitoring and control, particularly those with shared workstations or multi-user access to engineering PCs.

How it could be exploited

An attacker must log into the SIMATIC IPC or engineering workstation with valid user credentials. Once authenticated, they can craft specific memory access patterns to exploit the Intel CPU vulnerability and read data from other processes or users on the same machine, such as process variable values or authentication tokens from engineering software.

Prerequisites

Valid local user credentials on the affected SIMATIC IPC or Field PG M6 workstation
Local logon access (interactive or remote session)
User-level or administrator privileges depending on target data sensitivity
Target system must be running a vulnerable version of the listed SIMATIC products

Authenticated local access requiredLow complexity exploitationInformation disclosure only (no integrity or availability impact)No patch available for SIMATIC IPC1047Could expose sensitive process variables or engineering credentials

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (11)

10 with fix1 EOL

ProductAffected VersionsFix Status

SIMATIC Field PG M6< V26.01.1126.01.11

SIMATIC IPC BX-39A< V29.01.0429.01.04

SIMATIC IPC PX-39A< V29.01.0429.01.04

SIMATIC IPC PX-39A PRO< V29.01.0429.01.04

SIMATIC IPC RW-543A< V1.1.21.1.2

SIMATIC IPC1047E< V4.24.2

SIMATIC IPC627E< V25.02.1425.02.14

SIMATIC IPC647E< V25.02.1425.02.14

Remediation & Mitigation

0/12

Schedule — requires maintenance window

0/10

Patching may require device reboot — plan for process interruption

Mitigations - no patch available

0/2

SIMATIC IPC1047 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGFor SIMATIC IPC1047 (all versions), implement host-based security controls such as disabling unnecessary user accounts and restricting local logon to authorized personnel only

HARDENINGRestrict local access to SIMATIC IPCs and engineering workstations to authorized personnel; implement physical access controls and session monitoring

CVEs (1)

CVE-2022-40982

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close