Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.TENABLE_OT_SIEMENS_CVE-2022-38465.NASL
HistoryNov 07, 2022 - 12:00 a.m.

Siemens SINUMERIK ONE and SINUMERIK MC Insufficiently Protected Credentials (CVE-2022-38465)

2022-11-0700:00:00
This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
12
siemens
sinumerik
simatic
controllers
vulnerability
credentials
cve-2022-38465
offline attack
configuration data
key extraction
legacy communication attack

9.3 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C

7.5 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.6%

JSON

A vulnerability has been identified in SIMATIC Drive Controller family (All versions < V2.9.2), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions < V21.9), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions < V4.5.0), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions < V2.9.2), SIMATIC S7-1500 Software Controller (All versions < V21.9), SIMATIC S7-PLCSIM Advanced (All versions < V4.0), SINUMERIK MC (All versions < V6.21), SINUMERIK ONE (All versions < V6.21). Affected products protect the built-in global private key in a way that cannot be considered sufficient any longer. The key is used for the legacy protection of confidential configuration data and the legacy PG/PC and HMI communication. This could allow attackers to discover the private key of a CPU product family by an offline attack against a single CPU of the family.
Attackers could then use this knowledge to extract confidential configuration data from projects that are protected by that key or to perform attacks against legacy PG/PC and HMI communication.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(500704);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");

  script_cve_id("CVE-2022-38465");

  script_name(english:"Siemens SINUMERIK ONE and SINUMERIK MC Insufficiently Protected Credentials (CVE-2022-38465)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in SIMATIC Drive Controller family
(All versions < V2.9.2), SIMATIC ET 200SP Open Controller CPU 1515SP
PC (incl. SIPLUS variants) (All versions), SIMATIC ET 200SP Open
Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions <
V21.9), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All
versions < V4.5.0), SIMATIC S7-1500 CPU family (incl. related ET200
CPUs and SIPLUS variants) (All versions < V2.9.2), SIMATIC S7-1500
Software Controller (All versions < V21.9), SIMATIC S7-PLCSIM Advanced
(All versions < V4.0), SINUMERIK MC (All versions < V6.21), SINUMERIK
ONE (All versions < V6.21). Affected products protect the built-in
global private key in a way that cannot be considered sufficient any
longer. The key is used for the legacy protection of confidential
configuration data and the legacy PG/PC and HMI communication. This
could allow attackers to discover the private key of a CPU product
family by an offline attack against a single CPU of the family.
Attackers could then use this knowledge to extract confidential
configuration data from projects that are protected by that key or to
perform attacks against legacy PG/PC and HMI communication.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-568427.pdf");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-568428.pdf");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-22-314-04");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens identified the following specific workarounds and mitigations that customers can apply to reduce the risk: 

- Expose the communication between the S7-1500 CPU and the HMI of the affected products only to trusted network
environments.
- Protect access to the TIA Portal project and SINUMERIK NCU (including related memory cards) from unauthorized actors.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. In
order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to
SiemensҀ™ operational guidelines for industrial security and following the recommendations in the product manuals.

For more information, see Siemens security advisory SSA-568428 in HTML or CSAF.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-38465");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(522);

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/10/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/10/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/11/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_drive_controller_cpu_1504d_tf_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_drive_controller_cpu_1507d_tf_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_et_200_sp_open_controller_cpu_1515sp_pc2_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_et_200_sp_open_controller_cpu_1515sp_pc_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1200_cpu_12_1211c_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1200_cpu_12_1212c_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1200_cpu_12_1212fc_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1200_cpu_12_1214c_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1200_cpu_12_1214fc_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1200_cpu_12_1215c_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1200_cpu_12_1215fc_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1200_cpu_12_1217c_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1510sp-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1510sp_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1511-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1511t-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1511tf-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1512c-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1512sp-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1512spf-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1513-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1513f-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1513r-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1515-2_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_151511c-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_151511f-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1515f-2_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1515r-2_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1515t-2_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1516-3_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1516f-3_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1516pro_f_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1516t-3_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1516tf-3_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1517-3_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1517f-3_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1518-4_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1518f-4_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1518hf-4_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1518t-4_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_1518tf-4_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_15pro-2_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:simatic_s7-1500_cpu_15prof-2_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:simatic_et_200_sp_open_controller_cpu_1515sp_pc2_firmware" :
        {"versionEndExcluding" : "21.9", "family" : "ET200SP"},
    "cpe:/o:siemens:simatic_et_200_sp_open_controller_cpu_1515sp_pc_firmware" :
        {"family" : "ET200SP"},
    "cpe:/o:siemens:simatic_drive_controller_cpu_1504d_tf_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_drive_controller_cpu_1507d_tf_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1200_cpu_12_1211c_firmware" :
        {"versionEndExcluding" : "4.5.0", "family" : "S71200"},
    "cpe:/o:siemens:simatic_s7-1200_cpu_12_1212c_firmware" :
        {"versionEndExcluding" : "4.5.0", "family" : "S71200"},
    "cpe:/o:siemens:simatic_s7-1200_cpu_12_1212fc_firmware" :
        {"versionEndExcluding" : "4.5.0", "family" : "S71200"},
    "cpe:/o:siemens:simatic_s7-1200_cpu_12_1214fc_firmware" :
        {"versionEndExcluding" : "4.5.0", "family" : "S71200"},
    "cpe:/o:siemens:simatic_s7-1200_cpu_12_1214c_firmware" :
        {"versionEndExcluding" : "4.5.0", "family" : "S71200"},
    "cpe:/o:siemens:simatic_s7-1200_cpu_12_1215fc_firmware" :
        {"versionEndExcluding" : "4.5.0", "family" : "S71200"},
    "cpe:/o:siemens:simatic_s7-1200_cpu_12_1215c_firmware" :
        {"versionEndExcluding" : "4.5.0", "family" : "S71200"},
    "cpe:/o:siemens:simatic_s7-1200_cpu_12_1217c_firmware" :
        {"versionEndExcluding" : "4.5.0", "family" : "S71200"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1510sp-1_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1510sp_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1511-1_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_151511c-1_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_151511f-1_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1511t-1_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1511tf-1_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1512c-1_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1512sp-1_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1512spf-1_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1513-1_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1513f-1_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1513r-1_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_15prof-2_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_15pro-2_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1515-2_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1515f-2_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1515r-2_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1515t-2_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1516pro_f_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1516-3_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1516f-3_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1516t-3_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1516tf-3_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1517-3_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1517f-3_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1518-4_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1518f-4_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1518hf-4_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1518t-4_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"},
    "cpe:/o:siemens:simatic_s7-1500_cpu_1518tf-4_firmware" :
        {"versionEndExcluding" : "2.9.2", "family" : "S71500"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);
VendorProductVersionCPE
siemenssimatic_et_200_sp_open_controller_cpu_1515sp_pc_firmwarecpe:/o:siemens:simatic_et_200_sp_open_controller_cpu_1515sp_pc_firmware
siemenssimatic_s7-1500_cpu_1512sp-1_firmwarecpe:/o:siemens:simatic_s7-1500_cpu_1512sp-1_firmware
siemenssimatic_s7-1500_cpu_1518f-4_firmwarecpe:/o:siemens:simatic_s7-1500_cpu_1518f-4_firmware
siemenssimatic_s7-1500_cpu_1512c-1_firmwarecpe:/o:siemens:simatic_s7-1500_cpu_1512c-1_firmware
siemenssimatic_s7-1500_cpu_1510sp_firmwarecpe:/o:siemens:simatic_s7-1500_cpu_1510sp_firmware
siemenssimatic_s7-1500_cpu_1517-3_firmwarecpe:/o:siemens:simatic_s7-1500_cpu_1517-3_firmware
siemenssimatic_s7-1500_cpu_1517f-3_firmwarecpe:/o:siemens:simatic_s7-1500_cpu_1517f-3_firmware
siemenssimatic_s7-1500_cpu_1513f-1_firmwarecpe:/o:siemens:simatic_s7-1500_cpu_1513f-1_firmware
siemenssimatic_s7-1500_cpu_151511c-1_firmwarecpe:/o:siemens:simatic_s7-1500_cpu_151511c-1_firmware
siemenssimatic_s7-1500_cpu_1518hf-4_firmwarecpe:/o:siemens:simatic_s7-1500_cpu_1518hf-4_firmware
Rows per page:
1-10 of 431

Related

ics 2
prion 1
nvd 1
cve 1
cvelist 1
thn 1
ics
ics
Siemens SINUMERIK ONE and SINUMERIK MC
2022-11-10 12:00:00
Siemens SIMATIC S7-1200 and S7-1500 CPU Families
2022-10-13 12:00:00
prion
prion
Code injection
2022-10-11 11:15:00
nvd
nvd
CVE-2022-38465
2022-10-11 11:15:10
cve
cve
CVE-2022-38465
2022-10-11 11:15:10
cvelist
cvelist
CVE-2022-38465
2022-10-11 00:00:00
thn
thn
Critical Bug in Siemens SIMATIC PLCs Could Let Attackers Steal Cryptographic Keys
2022-10-12 10:41:00

9.3 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C

7.5 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.6%

JSON
Related for TENABLE_OT_SIEMENS_CVE-2022-38465.NASL
ics2prion1nvd1cve1cvelist1thn1