-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-482757: Missing Immutable Root of Trust in S7-1500 CPU devices Publication Date: 2023-01-10 Last Update: 2025-01-14 Current Version: 1.5 CVSS v3.1 Base Score: 4.6 SUMMARY ======= Affected models of the S7-1500 CPU product family do not contain an Immutable Root of Trust in Hardware. With this the integrity of the code executed on the device can not be validated during load-time. An attacker with physical access to the device could use this to replace the boot image of the device and execute arbitrary code. As exploiting this vulnerability requires physical tampering with the product, Siemens recommends to assess the risk of physical access to the device in the target deployment and to implement measures to make sure that only trusted personnel have access to the physical hardware. The vulnerability is related to the hardware of the product. Siemens has released new hardware versions for several CPU types of the S7-1500 product family in which this vulnerability is fixed and is working on new hardware versions for remaining PLC types to address this vulnerability completely. See the chapter "Additional Information" below for more details. For more information please also refer to the related product support article: https://support.industry.siemens.com/cs/ww/en/view/109816536/. AFFECTED PRODUCTS AND SOLUTION ============================== * SIMATIC Drive Controller family: - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants): - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK01-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RL00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RM00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1517H-3 PN (6ES7517-3HP00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1518HF-4 PN (6ES7518-4JP00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK00-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK00-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK00-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL00-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL00-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1515R-2 PN (6AG1515-2RM00-7AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1515R-2 PN TX RAIL (6AG2515-2RM00-4AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-7AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN00-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1517H-3 PN (6AG1517-3HP00-4AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS S7-1500 CPU 1518HF-4 PN (6AG1518-4JP00-4AB0): - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" WORKAROUNDS AND MITIGATIONS =========================== Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk: * Restrict physical access to affected devices to trusted personnel to avoid hardware tampering (e.g., place the devices in locked control cabinets) Please follow the "General Security Recommendations". GENERAL SECURITY RECOMMENDATIONS ================================ As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial- security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity PRODUCT DESCRIPTION =================== SIMATIC Drive Controllers have been designed for the automation of production machines, combining the functionality of a SIMATIC S7-1500 CPU and a SINAMICS S120 drive control. SIMATIC S7-1500 CPU products have been designed for discrete and continuous control in industrial environments such as manufacturing, food and beverages, and chemical industries worldwide. The SIMATIC S7-1500 MFP CPUs provide functionality of standard S7-1500 CPUs with the possibility to run C/C++ Code within the CPU-Runtime for execution of own functions / algorithms implemented in C/C++ and an additional second independent runtime environment to execute C/C++ applications parallel to the STEP 7 program if required. SIMATIC S7-1500 ODK CPUs provide functionality of standard S7-1500 CPUs but additionally provide the possibility to run C/C++ Code within the CPU-Runtime for execution of own functions / algorithms implemented in C/C++. They have been designed for discrete and continuous control in industrial environments such as manufacturing, food and beverages, and chemical industries worldwide. SIPLUS extreme products are designed for reliable operation under extreme conditions and are based on SIMATIC, LOGO!, SITOP, SINAMICS, SIMOTION, SCALANCE or other devices. SIPLUS devices use the same firmware as the product they are based on. VULNERABILITY DESCRIPTION ========================= This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities. * Vulnerability CVE-2022-38773 Affected devices do not contain an Immutable Root of Trust in Hardware. With this the integrity of the code executed on the device can not be validated during load-time. An attacker with physical access to the device could use this to replace the boot image of the device and execute arbitrary code. CVSS v3.1 Base Score: 4.6 CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:T/RC:C CWE: CWE-1326: Missing Immutable Root of Trust in Hardware ACKNOWLEDGMENTS =============== Siemens thanks the following party for its efforts: * Yuanzhe Wu and Ang Cui from Red Balloon Security for coordinated disclosure ADDITIONAL INFORMATION ====================== Siemens has released the following new hardware versions of the S7-1500 product family (and their respective SIPLUS variants). They contain a new secure boot mechanism that resolves the vulnerability: - - SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0) * SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DK03-0AB0) * SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0) * SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CL03-0AB0) * SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0) * SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0) * SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0) * SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CM03-0AB0) * SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0) * SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DM03-0AB0) * SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0) * SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0) * SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RM03-0AB0) * SIMATIC S7-1500 CPU 1513pro-2 PN (6ES7513-2PM03-0AB0) * SIMATIC S7-1500 CPU 1513pro F-2 PN (6ES7513-2GM03-0AB0) * SIMATIC S7-1500 CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0) * SIMATIC S7-1500 CPU 1514SP-2 PN (6ES7514-2DN03-0AB0) * SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0) * SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0) * SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RN03-0AB0) * SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0) * SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0) * SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0) * SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0) * SIMATIC S7-1500 CPU 1516pro-2 PN (6ES7516-2PP03-0AB0) * SIMATIC S7-1500 CPU 1516pro F-2 PN (6ES7516-2GP03-0AB0) * SIMATIC S7-1500 CPU 1516T-3 PN (6ES7516-3TP10-0AB0) * SIMATIC S7-1500 CPU 1516TF-3 PN (6ES7516-3UP10-0AB0) * SIMATIC S7-1500 CPU 1517-3 PN (6ES7517-3AQ10-0AB0) * SIMATIC S7-1500 CPU 1517F-3 PN (6ES7517-3FQ10-0AB0) * SIMATIC S7-1500 CPU 1517H-4 PN (6ES7517-4HQ10-0AB0) * SIMATIC S7-1500 CPU 1517T-3 PN (6ES7517-3TQ10-0AB0) * SIMATIC S7-1500 CPU 1517TF-3 PN (6ES7517-3UQ10-0AB0) * SIMATIC S7-1500 CPU 1518-3 PN (6ES7518-3AT10-0AB0) * SIMATIC S7-1500 CPU 1518F-3 PN (6ES7518-3FT10-0AB0) * SIMATIC S7-1500 CPU 1518HF-4 PN (6ES7518-4JT10-0AB0) * SIMATIC S7-1500 CPU 1518T-3 PN (6ES7518-3TT10-0AB0) * SIMATIC S7-1500 CPU 1518TF-3 PN (6ES7518-3UT10-0AB0) Siemens is working on new hardware versions for additional PLC types to address this vulnerability further. For more information please also refer to the related product support article: https://support.industry.siemens.com/cs/ww/en/view/109816536/. For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories HISTORY DATA ============ V1.0 (2023-01-10): Publication Date V1.1 (2023-02-14): Added information about additional new S7-1500 hardware versions and a reference to the related product support title V1.2 (2023-03-14): Added information about additional new S7-1500 hardware versions: SIMATIC S7-1500 CPU 1514SP( F)-2 PN V1.3 (2023-12-12): Added information about additional new S7-1500 hardware versions: SIMATIC S7-1500 CPU 1513pro( F)-2 PN, SIMATIC S7-1500 CPU 1516pro( F)-2 PN V1.4 (2024-06-11): Added information about additional new S7-1500 hardware versions: SIMATIC S7-1500 CPU 1511C-1 PN, SIMATIC S7-1500 CPU 1512C-1 PN V1.5 (2025-01-14): Added information about additional new S7-1500 hardware versions TERMS OF USE ============ The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use. Copyright: Siemens 2025 -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEch+g+vCfo0skv7l6x5aGHHWng/oFAmeFqQAACgkQx5aGHHWn g/rZFA//WC2aTxwyjms4Kn5xPcIKzLOOt3/eo9zr3Ql4nf/Q4gqsupWGg2n2X4pe JjTnwRw/3xj0oNOPLrtftOZTohVuNu2AKY9pvKVCKODKANBmTO2hb/So4kXxyITA zW/Vxb1+md1bQ8vvnA7O0hOAe86CVT4o1m2y7fec1jijfT+M0O16k5Wg61oaKSkm 0DM40iy9Ap4QTybawbmpRnehBkoENqtxfYeqYopJZ3exUA8MGTVeEePBse9Pcvpr 2JMyQPi2DFFomRHK0XSSRbkxa9zPezIipyJfwZ2hmBvkoWP9XTGAR4PzH0vHjK8S +7Gj7YalYLaZRaBGCydKNG8Mzlwryj4XWxa7ZwMRLYcHzuBDXFjjjkJM8+P3Jz6D MWsbsySYcEsMScXoHIDZFCBnnoVlY6QDumh6w9Q1rdPlJC/DVPn4BvGrQ9Qqjkus qbjj0M+n4eBWBiCVRIWv4A+j+i5WPSjoq91IIj+NN86qVhaJRI/uwAm4hXaC/7qH +LG5OeigE0W8wHVVW+7hapxdCQykFIVBH7E+KrTXxtFuYJs/zVxkvPUA9DK6Vjv8 9V7Aw399s+phnkRGOSQjaQnlHQ8MSv9S+07LZ4f5yTVvcg6ttiyTS6Izh3eXL+Xp DH3G92Gvq3QcyBJYFk/28LIYtiRu1GioxePye9b5SdKvc2CS0uo= =m1hQ -----END PGP SIGNATURE-----