-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-268644: Spectre-NG (Variants 3a and 4) Vulnerabilities in Industrial Products Publication Date: 2018-09-11 Last Update: 2020-02-10 Current Version: 1.6 CVSS v3.1 Base Score: 4.3 SUMMARY ======= Security researchers published information on vulnerabilities known as Spectre-NG (Variants 3a and 4). These vulnerabilities affect many modern processors from different vendors to a varying degree. Several Industrial Products include affected processors and are affected by the vulnerabilities. AFFECTED PRODUCTS AND SOLUTION ============================== For SIMATIC IPCs (incl. SIPLUS variants), SIMATIC Field PGs, SIMATIC ITP devices, SIMOTION P and SINUMERIK PCUs: Siemens provides first BIOS updates that include chipset microcode updates, and is working on further updates. In addition to applying the available BIOS updates, customers must also install the operating system patches that are provided by the operating system vendors in order to mitigate the vulnerabilities. Depending on the deployed operating system version, additional steps may be required to enable the mitigations. Please see operating system documentation for details. * RUGGEDCOM APE - Affected versions: All versions - Remediation: For CVE-2018-3639 apply Debian stretch updates as soon as they become available (https://security-tracker.debian.org/tracker/CVE-2018-3639). For CVE-2018-3640 please note that according to ARM https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability it is not believed that sofware mitigations for this issue are necessary." * RUGGEDCOM RX1400 VPE - Affected versions: All versions - Affected by vulnerabilities: - CVE-2018-3640 - Remediation: According to ARM (https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability) it is not believed that sofware mitigations for this issue are necessary. * SIMATIC ET 200SP Open Controller (incl. SIPLUS variants) - Affected versions: All versions < V2.6 - Remediation: Update to V2.6 - Download: https://support.industry.siemens.com/cs/ww/en/view/109759122 * SIMATIC Field PG M4 - Affected versions: All BIOS versions < V18.01.09 - Remediation: Update BIOS to V18.01.09 - Download: https://support.industry.siemens.com/cs/de/en/view/109037537 * SIMATIC Field PG M5 - Affected versions: All BIOS versions < V22.01.06 - Remediation: Update BIOS to V22.01.06 - Download: https://support.industry.siemens.com/cs/de/en/view/109738122 * SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) - Affected versions: All versions with SIMATIC WinCC V14 < V14 SP1 Upd 6 - Remediation: Update to V14 SP1 Upd 6 to mitigate risks in browsers, and follow recommendations from section Workarounds and Mitigations to mitigate risks from running untrusted code. - Download: https://support.industry.siemens.com/cs/ww/en/view/109747387 * SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) - Affected versions: All versions with SIMATIC WinCC V15 < V15.1 - Remediation: Update to V15.1 to mitigate risks in browsers, and follow recommendations from section Workarounds and Mitigations to mitigate risks from running untrusted code. - Download: https://support.industry.siemens.com/cs/ww/en/view/109761203 * SIMATIC HMI Comfort 15-22 Panels (incl. SIPLUS variants) (only MLFBs: 6AV2124-0QC02-0AX1, 6AG1124-0QC02-4AX1, 6AG1124-1QC02-4AX1, 6AV2124-1QC02-0AX1, 6AG1124-1QC02-4AX1, 6AG1124-0UC02-4AX1, 6AV2124-0UC02-0AX1, 6AG1124-0UC02-4AX1, 6AV2124-0XC02-0AX1, 6AG1124-0XC02-4AX1) - Affected versions: All versions with SIMATIC WinCC V14 < V14 SP1 Upd 6 - Remediation: Update to V14 SP1 Upd 6 to mitigate risks in browsers, and follow recommendations from section Workarounds and Mitigations to mitigate risks from running untrusted code. - Download: https://support.industry.siemens.com/cs/ww/en/view/109747387 * SIMATIC HMI Comfort 15-22 Panels (incl. SIPLUS variants) (only MLFBs: 6AV2124-0QC02-0AX1, 6AG1124-0QC02-4AX1, 6AG1124-1QC02-4AX1, 6AV2124-1QC02-0AX1, 6AG1124-1QC02-4AX1, 6AV2124-0UC02-0AX1, 6AG1124-0UC02-4AX1, 6AV2124-0XC02-0AX1, 6AG1124-0XC02-4AX1) - Affected versions: All versions with SIMATIC WinCC V15 < V15 Upd 2 - Remediation: Update to V15 Upd 2 to mitigate risks in browsers, and follow recommendations from section Workarounds and Mitigations to mitigate risks from running untrusted code. - Download: https://support.industry.siemens.com/cs/ww/en/view/109755826 * SIMATIC HMI Comfort 4-12" Panels (incl. SIPLUS variants) - Affected versions: All versions with SIMATIC WinCC V14 < V14 SP1 Upd 6 - Remediation: Update to V14 SP1 Upd 6 to mitigate risks in browsers, and follow recommendations from section Workarounds and Mitigations to mitigate risks from running untrusted code. - Download: https://support.industry.siemens.com/cs/ww/en/view/109747387 * SIMATIC HMI Comfort 4-12" Panels (incl. SIPLUS variants) - Affected versions: All versions with SIMATIC WinCC V15 < V15 Upd 2 - Remediation: Update to V15 Upd 2 to mitigate risks in browsers, and follow recommendations from section Workarounds and Mitigations to mitigate risks from running untrusted code. - Download: https://support.industry.siemens.com/cs/ww/en/view/109755826 * SIMATIC HMI Comfort PRO Panels (incl. SIPLUS variants) - Affected versions: All versions with SIMATIC WinCC V14 < V14 SP1 Upd 6 - Remediation: Update to V14 SP1 Upd 6 to mitigate risks in browsers, and follow recommendations from section Workarounds and Mitigations to mitigate risks from running untrusted code. - Download: https://support.industry.siemens.com/cs/ww/en/view/109747387 * SIMATIC HMI Comfort PRO Panels V15 (incl. SIPLUS variants) - Affected versions: All versions with SIMATIC WinCC V15 < V15 Upd 2 - Remediation: Update to V15 Upd 2 to mitigate risks in browsers, and follow recommendations from section Workarounds and Mitigations to mitigate risks from running untrusted code. - Download: https://support.industry.siemens.com/cs/ww/en/view/109755826 * SIMATIC HMI KTP Mobile Panels - Affected versions: All versions with SIMATIC WinCC V14 < V14 SP1 Upd 6 - Remediation: Update to V14 SP1 Upd 6 to mitigate risks in browsers, and follow recommendations from section Workarounds and Mitigations to mitigate risks from running untrusted code. - Download: https://support.industry.siemens.com/cs/ww/en/view/109747387 * SIMATIC HMI KTP Mobile Panels - Affected versions: All versions with SIMATIC WinCC V15 < V15 Upd 2 - Remediation: Update to V15 Upd 2 to mitigate risks in browsers, and follow recommendations from section Workarounds and Mitigations to mitigate risks from running untrusted code. - Download: https://support.industry.siemens.com/cs/ww/en/view/109755826 * SIMATIC IPC3000 SMART V2 - Affected versions: All versions < V1.5 - Remediation: Update BIOS to V1.5 - Download: https://support.industry.siemens.com/cs/ww/en/view/109759824 * SIMATIC IPC347E - Affected versions: All versions < V1.5 - Remediation: Update BIOS to V1.5 - Download: https://support.industry.siemens.com/cs/ww/en/view/109759824 * SIMATIC IPC427C - Affected versions: All versions - Remediation: See recommendations from section Workaround and Mitigations * SIMATIC IPC427D (incl. SIPLUS variants) - Affected versions: All BIOS versions < V17.0X.14 - Remediation: Update BIOS to V17.0X.14 - Download: https://support.industry.siemens.com/cs/de/en/view/108608500 * SIMATIC IPC427E (incl. SIPLUS variants) - Affected versions: All BIOS versions < V21.01.09 - Remediation: Update BIOS to V21.01.09 - Download: https://support.industry.siemens.com/cs/de/en/view/109742593 * SIMATIC IPC477C - Affected versions: All versions - Remediation: See recommendations from section Workaround and Mitigations * SIMATIC IPC477D - Affected versions: All BIOS versions < V17.0X.14 - Remediation: Update BIOS to V17.0X.14 - Download: https://support.industry.siemens.com/cs/de/en/view/108608500 * SIMATIC IPC477E - Affected versions: All BIOS versions < V21.01.09 - Remediation: Update BIOS to V21.01.09 - Download: https://support.industry.siemens.com/cs/de/en/view/109742593 * SIMATIC IPC477E Pro - Affected versions: All BIOS versions < V21.01.09 - Remediation: Update BIOS to V21.01.09 - Download: https://support.industry.siemens.com/cs/de/en/view/109742593 * SIMATIC IPC547E - Affected versions: All BIOS versions < R1.30.0 - Remediation: Update BIOS to R1.30.0 - Download: https://support.industry.siemens.com/cs/us/en/view/109481624 * SIMATIC IPC547G - Affected versions: All BIOS versions < R1.23.0 - Remediation: Update BIOS to R1.23.0 - Download: https://support.industry.siemens.com/cs/ww/en/view/109750349 * SIMATIC IPC627C - Affected versions: All BIOS versions < V15.02.15 - Remediation: Update BIOS to V15.02.15 - Download: https://support.industry.siemens.com/cs/ww/en/view/48792087 * SIMATIC IPC627D - Affected versions: All BIOS versions < V19.02.11 - Remediation: Update BIOS to V19.02.11 - Download: https://support.industry.siemens.com/cs/ww/de/view/109474954 * SIMATIC IPC647C - Affected versions: All BIOS version < V15.01.14 - Remediation: Update BIOS to V15.01.14 - Download: https://support.industry.siemens.com/cs/ww/en/view/48792076 * SIMATIC IPC647D - Affected versions: All BIOS versions < V19.01.14 - Remediation: Update BIOS to V19.01.14 - Download: https://support.industry.siemens.com/cs/ww/en/view/109037779 * SIMATIC IPC677C - Affected versions: All BIOS versions < V15.02.15 - Remediation: Update BIOS to V15.02.15 - Download: https://support.industry.siemens.com/cs/ww/en/view/48792087 * SIMATIC IPC677D - Affected versions: All BIOS versions < V19.02.11 - Remediation: Update BIOS to V19.02.11 - Download: https://support.industry.siemens.com/cs/ww/de/view/109474954 * SIMATIC IPC827C - Affected versions: All BIOS versions < V15.02.15 - Remediation: Update BIOS to V15.02.15 - Download: https://support.industry.siemens.com/cs/ww/en/view/48792087 * SIMATIC IPC827D - Affected versions: All BIOS versions < V19.02.11 - Remediation: Update BIOS to V19.02.11 - Download: https://support.industry.siemens.com/cs/ww/de/view/109474954 * SIMATIC IPC847C - Affected versions: All BIOS version < V15.01.14 - Remediation: Update BIOS to V15.01.14 - Download: https://support.industry.siemens.com/cs/ww/en/view/48792076 * SIMATIC IPC847D - Affected versions: All BIOS versions < V19.01.14 - Remediation: Update BIOS to V19.01.14 - Download: https://support.industry.siemens.com/cs/ww/en/view/109037779 * SIMATIC ITP1000 - Affected versions: All versions < V23.01.04 - Remediation: Update BIOS to V23.01.04 - Download: https://support.industry.siemens.com/cs/ww/en/view/109748173 * SIMATIC S7-1500 CPU S7-1518-4 PN/DP MFP (MLFB:6ES7518-4AX00-1AC0, 6AG1518-4AX00-4AC0, incl. SIPLUS variants) - Affected versions: All versions < V2.6 - Remediation: Update to V2.6 - Download: https://support.industry.siemens.com/cs/ww/en/view/109478459 * SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (MLFB: 6ES7518-4AP00-3AB0) - Affected versions: All versions < V2.6 - Remediation: Update to V2.6 - Download: https://support.industry.siemens.com/cs/ww/en/view/109478459 * SIMATIC S7-1500 CPU S7-1518F-4 PN/DP MFP (MLFB: 6ES7518-4FX00-1AC0) - Affected versions: All versions < V2.6 - Remediation: Update to V2.6 - Download: https://support.industry.siemens.com/cs/ww/en/view/109478459 * SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (MLFB: 6ES7518-4FP00-3AB0) - Affected versions: All versions < V2.6 - Remediation: Update to V2.6 - Download: https://support.industry.siemens.com/cs/ww/en/view/109478459 * SIMATIC S7-1500 Software Controller - Affected versions: All versions < V2.6 - Remediation: Update to V2.6 - Download: https://support.industry.siemens.com/cs/ww/en/view/109478528 * SIMOTION P320-4E - Affected versions: All BIOS versions < V17.0X.14 - Remediation: Update BIOS to V17.0X.14 - Download: https://support.industry.siemens.com/cs/de/en/view/108608500 * SIMOTION P320-4S - Affected versions: All BIOS versions < V17.0X.14 - Remediation: Update BIOS to V17.0X.14 - Download: https://support.industry.siemens.com/cs/de/en/view/108608500 * SINEMA Remote Connect - Affected versions: All versions - Remediation: To protect the SINEMA Remote Connect application inside of an VMWare appliance against the Speculative Store Bypass issue (CVE-2018-3639), see VMware Security Advisory (https://www.vmware.com/security/advisories/VMSA-2018-0012.html). * SINUMERIK 840 D sl (NCU720.3B, NCU730.3B, NCU720.3, NCU730.3) - Affected versions: All versions - Remediation: See recommendations from section Workaround and Mitigations * SINUMERIK PCU 50.5 - Affected versions: All BIOS versions < V15.02.15 - Remediation: Update BIOS to V15.02.15 - Download: https://support.industry.siemens.com/cs/ww/en/view/48792087 * SINUMERIK Panels with integrated TCU - Affected versions: All versions released >= 2016 - Remediation: Follow recommendations for SINUMERIK PCU or SINUMERIK TCU * SINUMERIK TCU 30.3 - Affected versions: All versions - Remediation: See recommendations from section Workaround and Mitigations WORKAROUNDS AND MITIGATIONS =========================== Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk: * As a prerequisite for an attack, an attacker must be able to run untrusted code on affected systems. Siemens recommends limiting the possibilities to run untrusted code if possible. * Applying a Defense-in-Depth concept can help to reduce the probability that untrusted code is run on the system. Siemens recommends to apply the Defense-in-Depth concept: https://www.siemens.com/industrialsecurity GENERAL SECURITY RECOMMENDATIONS ================================ As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity PRODUCT DESCRIPTION =================== RUGGEDCOM APE serves as an utility-grade computing platform for the RUGGEDCOM RX1500 router family. It also allows to run third party software applications without needing to procure an external industrial PC. As the virtual machine environment for the RUGGEDCOM RX1400, the RUGGEDCOM VPE1400 is ideally suited for harsh environments, such as those found in electric power, transportation, defense systems and oil and gas industries. The SIMATIC ET 200SP Open Controller is a PC-based version of the SIMATIC S7-1500 Controller including optional visualization in combination with central I/Os in a compact device. SIMATIC Industrial PCs are the PC hardware platform for PC-based Automation from Siemens. SIMATIC HMI Panels are used for operator control and monitoring of machines and plants. SIMATIC Mobile Panel 277(F) IWLAN is designed for HMI tasks of medium complexity for wireless use in PROFINET environments. SIMATIC S7-1500 Software Controller is a SIMATIC software controller for PC-based automation solutions. The SIMATIC S7-1500 ODK CPUs provide functionality of standard S7-1500 CPUs but additionally provide the possibility to run C/C++ Code within the CPU-Runtime for execution of own functions / algorithms implemented in C/C++. They have been designed for discrete and continuous control in industrial environments such as manufacturing, food and beverages, and chemical industries worldwide. The SIMATIC S7-1500 MFP CPUs provide functionality of standard S7-1500 CPUs with the possibility to run C/C++ Code within the CPU-Runtime for execution of own functions / algorithms implemented in C/C++ and an additional second independent runtime environment to execute C/C++ applications parallel to the STEP 7 program if required. SIMOTION is a scalable high performance hardware and software system for motion control. SINEMA Remote Connect ensures management of secure connections (VPN) between headquarters, service technicians and the installed machines or plants. SINUMERIK CNC offers automation solutions for the shop floor, job shops and large serial production environments. SINUMERIK Panel Control Unit (PCU) offers HMI functionality for SINUMERIK CNC controllers. SINUMERIK Thin Client Unit (TCU) offers HMI functionality for SINUMERIK CNC controllers. SIPLUS extreme products are designed for reliable operation under extreme conditions and are based on SIMATIC, LOGO!, SITOP, SINAMICS, SIMOTION, SCALANCE or other devices. SIPLUS devices use the same firmware as the product they are based on. VULNERABILITY CLASSIFICATION ============================ The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/. * Vulnerability CVE-2018-3639 An attacker with local access to the system could potentially disclose information from protected memory areas via a side-channel attack on the processor cache. CVSS v3.1 Base Score: 4.3 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:P/RL:O/RC:C CWE: CWE-200: Information Exposure * Vulnerability CVE-2018-3640 An attacker with local access to the system could potentially disclose information from protected memory areas via a side-channel attack on the processor cache. CVSS v3.1 Base Score: 4.3 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:P/RL:O/RC:C CWE: CWE-200: Information Exposure ACKNOWLEDGMENTS =============== Siemens thanks the following parties for their efforts: * Artem Zinenko from Kaspersky for pointing out that SIPLUS should also be mentioned ADDITIONAL INFORMATION ====================== For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories HISTORY DATA ============ V1.0 (2018-09-11): Publication Date V1.1 (2018-10-09): Added SIMATIC IPC327E V1.2 (2018-11-13): Added solution for SIMATIC IPC647D, SIMATIC IPC847D, SIMATIC IPC647C, SIMATIC IPC847C, SIMATIC IPC627C, SIMATIC IPC677C, SIMATIC IPC827C, SIMOTION P320-4S, SIMOTION P320-4E, SIMATIC S7-1500 MFP, SIMATIC S7-1500 ODK V1.3 (2018-12-11): Added solution for SIMATIC IPC547G, SIMATIC IPC627D, SIMATIC IPC677D, SIMATIC IPC827D, SINUMERIK PCU 50.5 V1.4 (2019-02-12): Added solution for SIMATIC ET 200 SP Open Controller, SIMATIC ET 200 SP Open Controller (F), SIMATIC S7-1500 Software Controller, SIMATIC IPC547E, SIMATIC ITP1000, SIMATIC IPC3000 SMART V2, SIMATIC IPC347E, SIMATIC HMI Basic Panels 2nd Generation, removed unaffected products SIMATIC IPC227E, SIMATIC IPC277E, SIMATIC IPC327E, SIMATIC IPC377E V1.5 (2019-04-09): Added solution for SIMATIC HMI Panels V14 V1.6 (2020-02-10): SIPLUS devices now explicitly mentioned in the list of affected products TERMS OF USE ============ Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJeQJ0AAAoJENP0geoRSq/keUsQAJ4OllCuB1PFPt9C/IjN4hS9 +tEJOyYoE0vYFN70mpRdCTE0AFZ0vEAAqKMWd/fKTd14ROYmievKHfK7GsA0Yxj/ 6hmED8CYbXoDt7nBkWHibKdL87D2c3xiWpT70tlTABynW5UNxWm/K5aUj+m7FSCM PHtkmhpg0RPOtAkqvrNTyMZF3vtR6pLwdIJqODtMhBWlWrPMgzg/JMrdfJNKGDl7 UHljToHPFNWnb8TAFlDeAvwix66pcduqIQUUi1ivJTgpcpYIivzaxgbsZ1EJdqlV flznDPKohIuMmr5fON6a143YT2lPXhlH2XG0/NogHjOHCOFmf/+FSCWJFpJyWpCx ljj7do2TJrmGNaxBHOOi2m7AogJB5NksM1NEgSGXmJ3kAk/84y3bYrFXtF/Fvbxb ZSyzoWoqtLdjk+ZxJ0bPjfN/d8cuomkcUMlnDI985uoxz34cdgP8VjxmnfDGoH/1 qoLyCoA56CIc4aEvXSmy7j7nKgsTomHvvrkEAG9BUpcgmxZYiP9aJH29t4t/Rqp1 MGMtw9TsvQDaUPR+vQcn2btHSDO6jWwm+CtcIjeSUkGXPh+FnLpLQmJM3UhfNo/a LgC9h5cGUqqV255X1Kh4KeGNk1owWsbrHOB36vNJhqm7g7r51WL1nFrQWTnmhZLR 9PlR2QSwHnOCq21wKcD9 =2wQR -----END PGP SIGNATURE-----