Skip to main content
Cybersecurity

Exploring the Siemens SIMATIC IPC Family, ITP1000, and Field PGs

Exploring the Siemens SIMATIC IPC Family, ITP1000, and Field PGs

1. EXECUTIVE SUMMARY

  • CVSS v4 8.4
  • ATTENTION: Low attack complexity
  • Vendor: Siemens
  • Equipment: SIMATIC IPC Family, SIMATIC ITP1000, SIMATIC Field PGs
  • Vulnerabilities: Protection Mechanism Failure

2. RISK EVALUATION

The vulnerabilities identified in the Siemens SIMATIC IPC Family, ITP1000, and Field PGs pose significant risks to the integrity and security of industrial control systems. Successful exploitation of these vulnerabilities could allow an authenticated attacker to alter the secure boot configuration or disable the BIOS password, potentially leading to unauthorized access and control over critical systems.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens has reported that the following products are affected by the identified vulnerabilities:

  • Siemens SIMATIC Field PG M5: All versions
  • Siemens SIMATIC IPC377G: All versions
  • Siemens SIMATIC IPC427E: All versions
  • Siemens SIMATIC IPC477E: All versions
  • Siemens SIMATIC IPC477E PRO: All versions
  • Siemens SIMATIC IPC527G: All versions
  • Siemens SIMATIC IPC627E: Versions prior to 25.02.15
  • Siemens SIMATIC IPC647E: Versions prior to V25.02.15
  • Siemens SIMATIC IPC677E: Versions prior to V25.02.15
  • Siemens SIMATIC IPC847E: Versions prior to V25.02.15
  • Siemens SIMATIC IPC3000 SMART V3: All versions
  • Siemens SIMATIC Field PG M6: Versions prior to V26.01.12 (CVE-2024-56182)
  • Siemens SIMATIC IPC BX-21A: Versions prior to V31.01.07
  • Siemens SIMATIC IPC BX-32A: Versions prior to V29.01.07
  • Siemens SIMATIC IPC BX-39A: Versions prior to V29.01.07
  • Siemens SIMATIC IPC BX-59A: Versions prior to V32.01.04
  • Siemens SIMATIC IPC PX-32A: Versions prior to V29.01.07
  • Siemens SIMATIC IPC PX-39A: Versions prior to V29.01.07
  • Siemens SIMATIC IPC PX-39A PRO: Versions prior to V29.01.07
  • Siemens SIMATIC IPC RC-543B: All versions
  • Siemens SIMATIC IPC RW-543A: All versions
  • Siemens SIMATIC ITP1000: All versions
  • Siemens SIMATIC IPC127E: All versions
  • Siemens SIMATIC IPC277G PRO: All versions
  • Siemens SIMATIC IPC227E: All versions
  • Siemens SIMATIC IPC227G: All versions
  • Siemens SIMATIC IPC277E: All versions
  • Siemens SIMATIC IPC277G: All versions
  • Siemens SIMATIC IPC327G: All versions
  • Siemens SIMATIC IPC347G: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 PROTECTION MECHANISM FAILURE CWE-693

The affected devices exhibit insufficient protection mechanisms for the EFI (Extensible Firmware Interface) variables stored on the device. This vulnerability could allow an authenticated attacker to alter the secure boot configuration without proper authorization by directly communicating with the flash controller.

CVE-2024-56181 has been assigned to this vulnerability, with a CVSS v3 base score of 8.2. The CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-56181, with a base score of 8.4. The CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 PROTECTION MECHANISM FAILURE CWE-693

This vulnerability is similar to the previous one, where the affected devices have insufficient protection mechanisms for the EFI variables. This could allow an authenticated attacker to disable the BIOS password without proper authorization by directly communicating with the flash controller.

CVE-2024