-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-168644: Spectre and Meltdown Vulnerabilities in Industrial Products Publication Date: 2018-02-22 Last Update: 2020-02-10 Current Version: 2.1 CVSS v3.1 Base Score: 5.9 SUMMARY ======= Security researchers published information on vulnerabilities known as Spectre and Meltdown. These vulnerabilities affect many modern processors from different vendors to a varying degree. Several Industrial Products include affected processors and are affected by the vulnerabilities. AFFECTED PRODUCTS AND SOLUTION ============================== For SIMATIC IPCs (incl. SIPLUS variants), SIMATIC Field PGs, SIMATIC ITP devices, SIMOTION P and SINUMERIK PCUs: Siemens provides first BIOS updates that include chipset microcode updates, and is working on further updates. In addition to applying the available BIOS updates, customers must also install the operating system patches that are provided by the operating system vendors in order to mitigate the vulnerabilities. Siemens recommends to also follow the guidance from operating system vendors if such documentation was published. Microsoft, for example, published recommendations for Windows Servers: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution * RUGGEDCOM APE - Affected versions: All versions with Debian Linux Base Image < 9.4 - Remediation: Upgrade the APE Linux base image to Debian 9.4. - Download: https://support.industry.siemens.com/cs/us/en/view/109757656 * RUGGEDCOM RX1400 VPE - Affected versions: All versions with Debian Linux Base Image < 9.4 - Remediation: Upgrade the VPE Linux base image to Debian 9.4, and follow recommendations from Section Workarounds and Mitigations - Download: https://support.industry.siemens.com/cs/us/en/view/109757655 * SIMATIC ET 200SP Open Controller (incl. SIPLUS variants) - Affected versions: All versions < V2.6 - Remediation: Update to V2.6 - Download: https://support.industry.siemens.com/cs/ww/en/view/109759122 * SIMATIC Field PG M4 - Affected versions: All BIOS versions < V18.01.08 - Remediation: Update BIOS to V18.01.08 - Download: https://support.industry.siemens.com/cs/ww/en/view/109037537 * SIMATIC Field PG M5 - Affected versions: All BIOS versions < V22.01.05 - Remediation: Update BIOS to V22.01.05 or newer - Download: https://support.industry.siemens.com/cs/ww/en/view/109738122 * SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) - Affected versions: All versions with SIMATIC WinCC V14 < V14 SP1 Upd 6 - Remediation: Update to SIMATIC WinCC V14 SP1 Upd 6 - Download: https://support.industry.siemens.com/cs/ao/en/view/109747387 * SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) - Affected versions: All versions with SIMATIC WinCC V15 < V15 Upd 2 - Remediation: Update to V15 Upd 2 - Download: https://support.industry.siemens.com/cs/ww/en/view/109755826 * SIMATIC HMI Comfort 15-22 Panels (incl. SIPLUS variants) (only MLFBs: 6AV2124-0QC02-0AX1, 6AG1124-0QC02-4AX1, 6AV2124-1QC02-0AX1, 6AG1124-1QC02-4AX1, 6AV2124-0UC02-0AX1, 6AG1124-0UC02-4AX1, 6AV2124-0XC02-0AX1, 6AG1124-0XC02-4AX1) - Affected versions: All versions with SIMATIC WinCC V14 < V14 SP1 Upd 6 - Remediation: Update to SIMATIC WinCC V14 SP1 Upd 6 to mitigate risks in browsers, and follow recommendations from section Workarounds and Mitigations to mitigate risks from running untrusted code. - Download: https://support.industry.siemens.com/cs/ao/en/view/109747387 * SIMATIC HMI Comfort 15-22 Panels (incl. SIPLUS variants) (only MLFBs: 6AV2124-0QC02-0AX1, 6AG1124-0QC02-4AX1, 6AV2124-1QC02-0AX1, 6AG1124-1QC02-4AX1, 6AV2124-0UC02-0AX1, 6AG1124-0UC02-4AX1, 6AV2124-0XC02-0AX1, 6AG1124-0XC02-4AX1) - Affected versions: All versions with SIMATIC WinCC V15 < V15 Upd 2 - Remediation: Update to V15 Upd 2 to mitigate risks in browsers, and follow recommendations from section Workarounds and Mitigations to mitigate risks from running untrusted code. - Download: https://support.industry.siemens.com/cs/ww/en/view/109755826 * SIMATIC HMI Comfort 4-12" Panels (incl. SIPLUS variants) - Affected versions: All versions with SIMATIC WinCC V14 < V14 SP1 Upd 6 - Remediation: Update to SIMATIC WinCC V14 SP1 Upd 6 to mitigate risks in browsers, and follow recommendations from section Workarounds and Mitigations to mitigate risks from running untrusted code. - Download: https://support.industry.siemens.com/cs/ao/en/view/109747387 * SIMATIC HMI Comfort 4-12" Panels (incl. SIPLUS variants) - Affected versions: All versions with SIMATIC WinCC V15 < V15 Upd 2 - Remediation: Update to V15 Upd 2 to mitigate risks in browsers, and follow recommendations from section Workarounds and Mitigations to mitigate risks from running untrusted code. - Download: https://support.industry.siemens.com/cs/ww/en/view/109755826 * SIMATIC HMI Comfort PRO Panels V14 (incl. SIPLUS variants) - Affected versions: All versions with SIMATIC WinCC V14 < V14 SP1 Upd 6 - Remediation: Update to SIMATIC WinCC V14 SP1 Upd 6 to mitigate risks in browsers, and follow recommendations from section Workarounds and Mitigations to mitigate risks from running untrusted code. - Download: https://support.industry.siemens.com/cs/ao/en/view/109747387 * SIMATIC HMI Comfort PRO Panels V15 (incl. SIPLUS variants) - Affected versions: All versions with SIMATIC WinCC V15 < V15 Upd 2 - Remediation: Update to V15 Upd 2 to mitigate risks in browsers, and follow recommendations from section Workarounds and Mitigations to mitigate risks from running untrusted code. - Download: https://support.industry.siemens.com/cs/ww/en/view/109755826 * SIMATIC HMI KTP Mobile Panels - Affected versions: All versions with SIMATIC WinCC V14 < V14 SP1 Upd 6 - Remediation: Update to SIMATIC WinCC V14 SP1 Upd 6 to mitigate risks in browsers, and follow recommendations from section Workarounds and Mitigations to mitigate risks from running untrusted code. - Download: https://support.industry.siemens.com/cs/ao/en/view/109747387 * SIMATIC HMI KTP Mobile Panels - Affected versions: All versions with SIMATIC WinCC V15 < V15 Upd 2 - Remediation: Update to V15 Upd 2 to mitigate risks in browsers, and follow recommendations from section Workarounds and Mitigations to mitigate risks from running untrusted code. - Download: https://support.industry.siemens.com/cs/ww/en/view/109755826 * SIMATIC IPC227E - Affected versions: All BIOS versions < V20.01.11 - Remediation: Update BIOS to V20.01.11 - Download: https://support.industry.siemens.com/cs/ww/en/view/109481715 * SIMATIC IPC277E - Affected versions: All BIOS versions < V20.01.11 - Remediation: Update BIOS to V20.01.11 - Download: https://support.industry.siemens.com/cs/ww/en/view/109481715 * SIMATIC IPC3000 SMART V2 - Affected versions: All versions < SMS-002 V1.4 - Remediation: Update BIOS to SMS-002 V1.4 - Download: https://support.industry.siemens.com/cs/document/109759824/ * SIMATIC IPC327E - Affected versions: All BIOS versions < V1.6.3C - Remediation: Update BIOS to V1.6.3C - Download: https://support.industry.siemens.com/cs/document/109757289/ * SIMATIC IPC347E - Affected versions: All versions < SMS-002 V1.4 - Remediation: Update BIOS to SMS-002 V1.4 - Download: https://support.industry.siemens.com/cs/document/109759824/ * SIMATIC IPC377E - Affected versions: All BIOS versions < V1.6.3C - Remediation: Update BIOS to V1.6.3C - Download: https://support.industry.siemens.com/cs/document/109757289/ * SIMATIC IPC427C - Affected versions: All BIOS versions - Remediation: See recommendations from section Workaround and Mitigations * SIMATIC IPC427D (incl. SIPLUS variants) - Affected versions: All BIOS versions < V17.0x.12 - Remediation: Update BIOS to V17.0x.12 or newer - Download: https://support.industry.siemens.com/cs/ww/en/view/108608500 * SIMATIC IPC427E (incl. SIPLUS variants) - Affected versions: All BIOS versions < V21.01.08 - Remediation: Update BIOS to V21.01.08 - Download: https://support.industry.siemens.com/cs/ww/en/view/109742593 * SIMATIC IPC477C - Affected versions: All BIOS versions - Remediation: See recommendations from section Workaround and Mitigations * SIMATIC IPC477D - Affected versions: All BIOS versions < V17.0x.12 - Remediation: Update BIOS to V17.0x.12 or newer - Download: https://support.industry.siemens.com/cs/ww/en/view/108608500 * SIMATIC IPC477E - Affected versions: All BIOS versions < V21.01.08 - Remediation: Update BIOS to V21.01.08 - Download: https://support.industry.siemens.com/cs/ww/en/view/109742593 * SIMATIC IPC477E Pro - Affected versions: All BIOS versions < V21.01.08 - Remediation: Update BIOS to V21.01.08 - Download: https://support.industry.siemens.com/cs/ww/en/view/109742593 * SIMATIC IPC547E - Affected versions: All BIOS versions < R1.30.0 - Remediation: Update BIOS to R1.30.0 - Download: https://support.industry.siemens.com/cs/us/en/view/109481624 * SIMATIC IPC547G - Affected versions: All BIOS versions < R1.21.0 - Remediation: Update BIOS to R1.21.0 - Download: https://support.industry.siemens.com/cs/ww/en/view/109750349 * SIMATIC IPC627C - Affected versions: All BIOS versions < V15.02.14 - Remediation: Update BIOS to V15.02.14 - Download: https://support.industry.siemens.com/cs/ww/en/view/48792087 * SIMATIC IPC627D - Affected versions: All BIOS versions < V19.02.10 - Remediation: Update BIOS to V19.02.10 - Download: https://support.industry.siemens.com/cs/ww/en/view/109474954 * SIMATIC IPC647C - Affected versions: All BIOS versions < V15.01.13 - Remediation: Update BIOS to V15.01.13 - Download: https://support.industry.siemens.com/cs/ww/en/view/48792076 * SIMATIC IPC647D - Affected versions: All BIOS versions < V19.01.11 - Remediation: Update BIOS to V19.01.11 or newer - Download: https://support.industry.siemens.com/cs/ww/en/view/109037779 * SIMATIC IPC677C - Affected versions: All BIOS versions < V15.02.14 - Remediation: Update BIOS to V15.02.14 - Download: https://support.industry.siemens.com/cs/ww/en/view/48792087 * SIMATIC IPC677D - Affected versions: All BIOS versions < V19.02.10 - Remediation: Update BIOS to V19.02.10 - Download: https://support.industry.siemens.com/cs/ww/en/view/109474954 * SIMATIC IPC827C - Affected versions: All BIOS versions < V15.02.14 - Remediation: Update BIOS to V15.02.14 - Download: https://support.industry.siemens.com/cs/ww/en/view/48792087 * SIMATIC IPC827D - Affected versions: All BIOS versions < V19.02.10 - Remediation: Update BIOS to V19.02.10 - Download: https://support.industry.siemens.com/cs/ww/en/view/109474954 * SIMATIC IPC847C - Affected versions: All BIOS versions < V15.01.13 - Remediation: Update BIOS to V15.01.13 - Download: https://support.industry.siemens.com/cs/ww/en/view/48792076 * SIMATIC IPC847D - Affected versions: All BIOS versions < V19.01.11 - Remediation: Update BIOS to V19.01.11 or newer - Download: https://support.industry.siemens.com/cs/ww/en/view/109037779 * SIMATIC ITP1000 - Affected versions: All versions < V23.01.03 - Remediation: Update BIOS to V23.01.03 - Download: https://support.industry.siemens.com/cs/ww/en/view/109748173 * SIMATIC S7-1500 Software Controller - Affected versions: All versions < V2.5 - Remediation: Update to V2.5 - Download: https://support.industry.siemens.com/cs/ww/en/view/109756778 * SIMATIC S7-1518-4 PN/DP ODK (MLFB: 6ES7518-4AP00-3AB0) - Affected versions: All versions < V2.5.2 - Remediation: Update to V2.5.2 - Download: https://support.industry.siemens.com/cs/ww/en/view/109478459 * SIMATIC S7-1518F-4 PN/DP ODK (MLFB: 6ES7518-4FP00-3AB0) - Affected versions: All versions < V2.5.2 - Remediation: Update to V2.5.2 - Download: https://support.industry.siemens.com/cs/ww/en/view/109478459 * SIMOTION P320-4E - Affected versions: All BIOS versions < V17.0x.13 - Remediation: Update BIOS to V17.0x.13 - Download: https://support.industry.siemens.com/cs/ww/en/view/108608500 * SIMOTION P320-4S - Affected versions: All BIOS versions < V17.0x.13 - Remediation: Update BIOS to V17.0x.13 - Download: https://support.industry.siemens.com/cs/ww/en/view/108608500 * SINEMA Remote Connect - Affected versions: All versions - Remediation: To protect the SINEMA Remote Connect application inside of an VMWare appliance against hardware mitigation for branch target injection issue identified in CVE-2017-5715, see VMware Security Advisory (https://www.vmware.com/us/security/advisories/VMSA-2018-0004.html). For the Hypervisor-Assisted Guest Mitigation for branch target injection see VMware KB 52085 (https://kb.vmware.com/s/article/52085). * SINUMERIK 840 D sl (NCU720.3B, NCU730.3B, NCU720.3, NCU730.3) - Affected versions: All versions - Remediation: See recommendations from section Workaround and Mitigations * SINUMERIK PCU 50.5 - Affected versions: All BIOS versions < V15.02.15 - Remediation: Update BIOS to V15.02.15 - Download: https://support.industry.siemens.com/cs/ww/en/view/48792087 * SINUMERIK Panels with integrated TCU - Affected versions: All versions released >= 2016 - Remediation: Follow recommendations for SINUMERIK PCU or SINUMERIK TCU * SINUMERIK TCU 30.3 - Affected versions: All versions - Remediation: See recommendations from section Workaround and Mitigations WORKAROUNDS AND MITIGATIONS =========================== Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk: * For SIMATIC IPCs (incl. SIPLUS variants), SIMATIC Field PGs, SIMATIC ITP devices, SIMOTION P and SINUMERIK PCUs: It is recommended to apply appropriate operating system updates while considering the compatiblity notes of the used application software. Applying the operating system patches provides mitigations against CVE-2017-5754 (Meltdown) and CVE-2017-5753 (Spectre Variant 1). Compatibility information for Siemens Industrial Software can be found at: https://support.industry.siemens.com/cs/ww/en/view/109754953 Siemens recommends to also follow the guidance from operating system vendors if such documentation was published. Microsoft, for example, published recommendations for Windows Servers: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution * As a prerequisite for an attack, an attacker must be able to run untrusted code on affected systems. Therefore, Siemens recommends determining if it is possible that untrusted code can be run on these systems, or if existing measures implemented by the operator reduce the likelihood of untrusted code being run. Siemens recommends limiting the possibilities to run untrusted code if possible. * Applying a Defense-in-Depth concept can help to reduce the probability that untrusted code is run on the system. Siemens recommends to apply the Defense-in-Depth concept: https://www.siemens.com/industrialsecurity GENERAL SECURITY RECOMMENDATIONS ================================ As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity PRODUCT DESCRIPTION =================== RUGGEDCOM APE serves as an utility-grade computing platform for the RUGGEDCOM RX1500 router family. It also allows to run third party software applications without needing to procure an external industrial PC. As the virtual machine environment for the RUGGEDCOM RX1400, the RUGGEDCOM VPE1400 is ideally suited for harsh environments, such as those found in electric power, transportation, defense systems and oil and gas industries. The SIMATIC ET 200SP Open Controller is a PC-based version of the SIMATIC S7-1500 Controller including optional visualization in combination with central I/Os in a compact device. SIMATIC Industrial PCs are the PC hardware platform for PC-based Automation from Siemens. SIMATIC HMI Panels are used for operator control and monitoring of machines and plants. SIMATIC Mobile Panel 277(F) IWLAN is designed for HMI tasks of medium complexity for wireless use in PROFINET environments. SIMATIC S7-1500 Software Controller is a SIMATIC software controller for PC-based automation solutions. The SIMATIC S7-1500 ODK CPUs provide functionality of standard S7-1500 CPUs but additionally provide the possibility to run C/C++ Code within the CPU-Runtime for execution of own functions / algorithms implemented in C/C++. They have been designed for discrete and continuous control in industrial environments such as manufacturing, food and beverages, and chemical industries worldwide. SIMOTION is a scalable high performance hardware and software system for motion control. SINEMA Remote Connect ensures management of secure connections (VPN) between headquarters, service technicians and the installed machines or plants. SINUMERIK CNC offers automation solutions for the shop floor, job shops and large serial production environments. SINUMERIK Panel Control Unit (PCU) offers HMI functionality for SINUMERIK CNC controllers. SINUMERIK Thin Client Unit (TCU) offers HMI functionality for SINUMERIK CNC controllers. SIPLUS extreme products are designed for reliable operation under extreme conditions and are based on SIMATIC, LOGO!, SITOP, SINAMICS, SIMOTION, SCALANCE or other devices. SIPLUS devices use the same firmware as the product they are based on. VULNERABILITY CLASSIFICATION ============================ The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/. * Vulnerability CVE-2017-5754 An attacker with local access to the system could potentially disclose information from protected memory areas via a side-channel attack on the processor cache. CVSS v3.1 Base Score: 5.9 CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C CWE: CWE-200: Information Exposure * Vulnerability CVE-2017-5715 An attacker with local access to the system could potentially disclose information from protected memory areas via a side-channel attack on the processor cache. CVSS v3.1 Base Score: 5.9 CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C CWE: CWE-200: Information Exposure * Vulnerability CVE-2017-5753 An attacker with local access to the system could potentially disclose information from protected memory areas via a side-channel attack on the processor cache. CVSS v3.1 Base Score: 5.9 CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C CWE: CWE-200: Information Exposure ACKNOWLEDGMENTS =============== Siemens thanks the following parties for their efforts: * Artem Zinenko from Kaspersky for pointing out that SIPLUS should also be mentioned ADDITIONAL INFORMATION ====================== Further information on Spectre and Meltdown can be found on the website provided by the researchers: https://spectreattack.com/ Further information on SIMATIC IPC and SIMATIC Field PGs can be found on https://support.industry.siemens.com/cs/ww/en/view/109747626 For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories HISTORY DATA ============ V1.0 (2018-02-22): Publication Date V1.1 (2018-03-15): Corrected products: SIMATIC IPC3000 SMART V2, SIMATIC IPC647D. Added updates for SIMATIC IPC427E, IPC477E, IPC547G V1.2 (2018-03-20): Added updates for SIMATIC IPC647D, SIMATIC IPC847D, SIMATIC IPC627D, SIMATIC IPC677D, SIMATIC IPC827D, SIMATIC IPC227E, SIMATIC IPC277E V1.3 (2018-04-18): Added updates for SIMATIC IPC427D, SIMATIC IPC477D, SIMATIC FieldPG M4 V1.4 (2018-05-29): Corrected products: BIOS for SIMATIC IPC847C also applies to SIMATIC IPC647C. Added solution for RUGGEDCOM APE, RUGGEDCOM VPE1400, SINEMA Remote Connect, SIMATIC S7-1518-4 PN/DP ODK, SIMATIC S7-1518F-4 PN/DP ODK, and SIMATIC HMI Panels. V1.5 (2018-06-26): Added update information for HMI Panels with SIMATIC WinCC V14 V1.6 (2018-08-07): Added update information for SIMATIC IPC6x7C, SIMATIC IPC8x7C, SIMOTION P320-4S, and SIMOTION P320-4E V1.7 (2018-09-11): Added update for SIMATIC IPC3000 SMART V2, SIMATIC IPC347E, SIMATIC IPC377E, SIMATIC IPC327E V1.8 (2018-11-13): Updated solution for RUGGEDCOM RX1400 VPE V1.9 (2019-02-12): Updated solution for SIMATIC ET 200 SP Open Controller, SIMATIC IPC547E V2.0 (2019-03-12): Updated solution for SINUMERIK PCU V2.1 (2020-02-10): SIPLUS devices now explicitly mentioned in the list of affected products TERMS OF USE ============ Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJeQJ0AAAoJENP0geoRSq/koRQP/RLZ9hNe1Foj4FT11tmE3PMF SmopXvd1UIC05NA7l86XGf/SHH/TbrK8HWChm8Go//uKrIIv65snc6fAcL1xetaY 4LfDg+fh7i4lFMK/Et7aKIv48p6q4uHUmRnBKz3Mhdmb3ZTKK7x0YUy5EZE3D/vn fR+yEItDJY1Yf3a8IgJ0Pwd0ku40zXZ1ixaGpw7lK5CeQfTvlggUNAydr1mP9oB3 K/U06T56a3k1xA82ctZ619h6F4ffXpPdOPRXwwReo2nai1V6x7bDqUFWPRF8ucvT r/DWgaNPhULBRSymUQtB65KUSuA16/O9G/qaUWHvo5SKtroUxaf6cXGlJzDeBBg4 IFVxaCyQN+1tSAdqpS4jF5F7mwmQcs5CP0W9A8IOuDfQjK+SkDhdNxg6dWirOe1E pwin/k/IovmH42wxnKAQaHyM+Kj5P3+KrbzPfZMSzcwoBewdjrj6zXgA6ssV8zj8 eRvQKfLj+zqnLmSaIzEkx0BeXZn8m5jsRcVzK9VbQlPUb+nKY3ctJgEnz5XqZlfg Df/CYLxwKXZ9dozED4J9JcEPGbwxLgJ0EHqCOxDM8emnKc/Kl1RDVa5NXOtmhQkK 63uvJ040nJ2Fpo2+aGcvsGV57aAZ3tamJ74zDmceW4hufMPElHLcXMZxGGewWBiY SVqYkmLxm5FyXsoyjC8C =yAW5 -----END PGP SIGNATURE-----