-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# SSA-470231: TPM Vulnerability in SIMATIC IPCs

Publication Date:        2018-02-22
Last Update:             2020-02-10
Current Version:         1.2
CVSS v3.1 Base Score:    5.9

SUMMARY
=======

Several SIMATIC IPCs include a version of Infineon's Trusted Platform
Module (TPM) firmware that mishandles RSA key generation. This makes it
easier for attackers to conduct cryptographic attacks against the key
material.

Siemens has released updates for the affected Industrial PCs.


AFFECTED PRODUCTS AND SOLUTION
==============================


* SIMATIC Field-PG M5 
  - Affected versions:
       BIOS < V22.01.04
  - Remediation:
       Update BIOS to V22.01.04
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109738122

* SIMATIC IPC227E 
  - Affected versions:
       BIOS < V20.01.10
  - Remediation:
       Update BIOS to V20.01.10
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109481715

* SIMATIC IPC277E 
  - Affected versions:
       BIOS < V20.01.10
  - Remediation:
       Update BIOS to V20.01.10
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109481715

* SIMATIC IPC427E (incl. SIPLUS variants) 
  - Affected versions:
       BIOS < V21.01.07
  - Remediation:
       Update BIOS to V21.01.07
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109742593

* SIMATIC IPC477E 
  - Affected versions:
       BIOS < V21.01.07
  - Remediation:
       Update BIOS to V21.01.07
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109742593

* SIMATIC IPC547G 
  - Affected versions:
       BIOS < R1.21.0
  - Remediation:
       Update BIOS to R1.21.0
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109750349

* SIMATIC ITP1000 
  - Affected versions:
       BIOS < V23.01.03
  - Remediation:
       Update BIOS to V23.01.03
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109748173


WORKAROUNDS AND MITIGATIONS
===========================

Siemens has identified the following specific workarounds and mitigations that
customers can apply to reduce the risk:

* Only RSA key pairs generated by the TPM are affected by this
vulnerability. Rekeying of the TPM by using other cryptograhpic
algorithms (e.g. ECC), using 3936-bit RSA keys, or importing RSA keys to
the TPM that are generated by other systems help mitigate the security
vulnerability.
  


GENERAL SECURITY RECOMMENDATIONS
================================

As a general security measure, Siemens strongly recommends to protect
network access to devices with appropriate mechanisms. In order to
operate the devices in a protected IT environment, Siemens recommends to
configure the environment according to Siemens' operational guidelines
for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security),
and to follow the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found
at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION
===================

SIMATIC Industrial PCs are the PC hardware platform for PC-based
Automation from Siemens.

SIPLUS extreme products are designed for reliable operation under
extreme conditions and are based on SIMATIC, LOGO!, SITOP, SINAMICS,
SIMOTION, SCALANCE or other devices. SIPLUS devices use the same
firmware as the product they are based on.

VULNERABILITY CLASSIFICATION
============================

The vulnerability classification has been performed by using the CVSS scoring
system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS 
environmental score is specific to the customer's environment and will impact
the overall CVSS score. The environmental score should therefore be 
individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a
community-developed list of common software security weaknesses. This serves as
a common language and as a baseline for weakness identification, mitigation,
and prevention efforts. A detailed list of CWE classes can be found at:
https://cwe.mitre.org/.



* Vulnerability CVE-2017-15361

  The Infineon RSA library in Infineon Trusted Platform Module (TPM)
  firmware creates RSA keys which might be susceptible to the ROCA attack,
  possibly exposing the private key of a RSA key pair.

  CVSS v3.1 Base Score: 5.9
  CVSS Vector:          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
  CWE:                  CWE-310: Cryptographic Issues


ACKNOWLEDGMENTS
===============

Siemens thanks the following parties for their efforts:

   * Artem Zinenko from Kaspersky for pointing out that SIPLUS should also be mentioned



ADDITIONAL INFORMATION
======================
Further information can be found on
https://support.industry.siemens.com/cs/ww/de/view/109747626.
Information about the vulnerability by Infineon can be found on
https://www.infineon.com/cms/en/product/promopages/tpm-update/

For further inquiries on security vulnerabilities in Siemens products and 
solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories


HISTORY DATA
============

V1.0 (2018-02-22): Publication Date
V1.1 (2018-03-15): Update for IPC547G
V1.2 (2020-02-10): SIPLUS devices now explicitly mentioned in the list of affected products

TERMS OF USE
============

Siemens Security Advisories are subject to the terms and conditions contained
in Siemens' underlying license terms or other applicable agreements previously
agreed to with Siemens (hereinafter "License Terms"). To the extent applicable
to information, software or documentation made available in or through a
Siemens Security Advisory, the Terms of Use of Siemens' Global Website
(https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in
particular Sections 8-10 of the Terms of Use, shall apply additionally. In case
of conflicts, the License Terms shall prevail over the Terms of Use.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJeQJ0AAAoJENP0geoRSq/kdKwQAMAhYJ3jl+9iDzK8Cc+XTTKu
Y2a/9LLQ+C4vLajdzfoIjwN3mspm0df1f4wF/kxcISQWU4QuOIGHhl5o+6lauR/1
TquY3V9jP7DestTRr+73Av4YlV8Zb+ZATT2/nPdpIOUv59gChQdwzt7tk/ioPnm+
3klLgGaQvVKkdJ1/Kwja7gFBGyUfQt8H8l2/h2fk7u3b/eDeOrc0e+06oMHFT7w/
BOKeQnDcZ9GsCDEu0fVVOqIdE2zpq73v5TQGxzanTxg1ipJs389DSE++SmwczPT9
butjy2xe6Fg2wt4FxQm+obvwIICcKt9GBSjtfQTXPGDRbwo1pC6vnmtQYMglWD/4
SSkYWjbhn2XUdeOjvkZHtp+YUCmnfuS/wVDOOTaxo2UDq36ZEGk2Urr9qoUtVFs8
T4cHSNpqVjkgMe5/PgEB3xToYwZrgYWsTc3USn1UCORLuBY9ZvOVkvBrIR1hShbt
reck3ya5O+JUkCuiDBINzzu0evRh2jPb+V9NrG9+YOEp09gEXIrSXiWd1A4uTgo9
COQUEjlQWs/dOZXlpLBJIPd+2ML423z8zGSxCjYDfsaFzh8oejfXfOHr5X1tNGxF
nCuiNS0PYGIZe3zTUcAd9fB2BCANHUniMn6P0cPKV0JX2PGRTeXkU+Jc7wPPiY+b
8gStlxEhtggD/bzoCGmH
=QemM
-----END PGP SIGNATURE-----