-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-616472: ZombieLoad and Microarchitectural Data Sampling Vulnerabilities in Industrial Products Publication Date: 2019-07-09 Last Update: 2020-12-08 Current Version: 1.7 CVSS v3.1 Base Score: 6.5 SUMMARY ======= Security researchers published information on vulnerabilities known as ZombieLoad and Microarchitectural Data Sampling (MDS). These vulnerabilities affect many modern processors from different vendors to a varying degree. Several Siemens Industrial Products contain processors that are affected by the vulnerabilities. AFFECTED PRODUCTS AND SOLUTION ============================== For SIMATIC IPCs, SIMATIC Field PGs, SIMATIC ITP devices, SIMOTION P and SINUMERIK PCUs: Siemens provides the first BIOS updates that include chipset microcode updates, and is working on further updates. In addition to applying the available BIOS updates, customers must also install the operating system patches that are provided by the operating system vendors in order to mitigate the vulnerabilities. Depending on the deployed operating system version, additional steps may be required to enable the mitigations. Please see operating system documentation for details. * SIMATIC Field PG M4 - Affected versions: All BIOS versions < V18.01.09 - Remediation: Update BIOS to V18.01.09 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC Field PG M5 - Affected versions: All BIOS versions < V22.01.07 - Remediation: Update BIOS to V22.01.07 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC Field PG M6 - Affected versions: All BIOS versions < V26.01.05 - Remediation: Update BIOS to V26.01.05 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC127E - Affected versions: All BIOS versions < V27.01.04 - Remediation: Update BIOS to V27.01.04 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC2X7E - Affected versions: All BIOS versions < V20.01.13 - Remediation: Update BIOS to V20.01.13 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC3000 SMART V2 - Affected versions: All versions < V1.7 - Remediation: Update BIOS to V1.7 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC327E - Affected versions: All BIOS versions < V1.7 - Remediation: Update BIOS to V1.7 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC347E - Affected versions: All versions < V1.7 - Remediation: Update BIOS to V1.7 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC377E - Affected versions: All BIOS versions < V1.7 - Remediation: Update BIOS to V1.7 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC427C - Affected versions: All versions - Remediation: See recommendations from section Workarounds and Mitigations * SIMATIC IPC427D (incl. SIPLUS variants) - Affected versions: All BIOS versions < V17.0X.16 - Remediation: Update BIOS to V17.0X.16 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC427E (incl. SIPLUS variants) - Affected versions: All BIOS versions < V21.01.11 - Remediation: Update BIOS to V21.01.11 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC477C - Affected versions: All versions - Remediation: See recommendations from section Workarounds and Mitigations * SIMATIC IPC477D - Affected versions: All BIOS versions < V17.0X.16 - Remediation: Update BIOS to V17.0X.16 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC477E - Affected versions: All BIOS versions < V21.01.11 - Remediation: Update BIOS to V21.01.11 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC477E Pro - Affected versions: All BIOS versions < V21.01.11 - Remediation: Update BIOS to V21.01.11 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC527G - Affected versions: All BIOS versions < V1.3.0 - Remediation: Update BIOS to V1.3.0 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC547E - Affected versions: All BIOS versions < R1.33 - Remediation: Update BIOS to R1.33 - Download: https://support.industry.siemens.com/cs/us/en/view/109763408 * SIMATIC IPC547G - Affected versions: All BIOS versions < R1.24.0 - Remediation: Update BIOS to R1.24.0 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC627C - Affected versions: All versions - Remediation: See recommendations from section Workarounds and Mitigations * SIMATIC IPC627D - Affected versions: All BIOS versions < V19.02.12 - Remediation: Update BIOS to V19.02.12 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC627E - Affected versions: All BIOS versions < V25.02.04 - Remediation: Update BIOS to V25.02.04 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC647C - Affected versions: All versions - Remediation: See recommendations from section Workarounds and Mitigations * SIMATIC IPC647D - Affected versions: All BIOS versions < V19.01.15 - Remediation: Update BIOS to V19.01.15 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC647E - Affected versions: All BIOS versions < V25.02.04 - Remediation: Update BIOS to V25.02.04 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC677C - Affected versions: All versions - Remediation: See recommendations from section Workarounds and Mitigations * SIMATIC IPC677D - Affected versions: All BIOS versions < V19.02.12 - Remediation: Update BIOS to V19.02.12 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC677E - Affected versions: All BIOS versions < V25.02.04 - Remediation: Update BIOS to V25.02.04 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC827C - Affected versions: All versions - Remediation: See recommendations from section Workarounds and Mitigations * SIMATIC IPC827D - Affected versions: All BIOS versions < V19.02.12 - Remediation: Update BIOS to V19.02.12 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC847C - Affected versions: All versions - Remediation: See recommendations from section Workarounds and Mitigations * SIMATIC IPC847D - Affected versions: All BIOS versions < V19.01.15 - Remediation: Update BIOS to V19.01.15 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC IPC847E - Affected versions: All BIOS versions < V25.02.04 - Remediation: Update BIOS to V25.02.04 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC ITP1000 - Affected versions: All BIOS versions < V23.01.06 - Remediation: Update BIOS to V23.01.06 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (MLFB: 6ES7518-4AX00-1AC0, 6AG1518-4AX00-4AC0, incl. SIPLUS variant) - Affected versions: All versions < V2.8.4 - Remediation: Update to V2.8.4 - Download: https://support.industry.siemens.com/cs/ww/en/view/109761490 * SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (MLFB: 6ES7518-4FX00-1AC0) - Affected versions: All versions < V2.8.4 - Remediation: Update to V2.8.4 - Download: https://support.industry.siemens.com/cs/ww/en/view/109761495 * SIMOTION P320-4E - Affected versions: All BIOS versions < V17.0X.16 - Remediation: Update BIOS to V17.0X.16 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SIMOTION P320-4S - Affected versions: All BIOS versions < V17.0X.16 - Remediation: Update BIOS to V17.0X.16 - Download: https://support.industry.siemens.com/cs/ww/en/view/109763408 * SINUMERIK 840 D sl (NCU720.3B, NCU730.3B, NCU720.3, NCU730.3) - Affected versions: All versions - Remediation: See recommendations from section Workarounds and Mitigations * SINUMERIK PCU 50.5 - Affected versions: All versions - Remediation: See recommendations from section Workarounds and Mitigations * SINUMERIK Panels with integrated TCU - Affected versions: All versions released - Remediation: Follow recommendations for SINUMERIK PCU or SINUMERIK TCU * SINUMERIK TCU 30.3 - Affected versions: All versions - Remediation: See recommendations from section Workarounds and Mitigations WORKAROUNDS AND MITIGATIONS =========================== Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk: * As a prerequisite for an attack, an attacker must be able to run untrusted code on affected systems. Siemens recommends limiting the possibilities to run untrusted code if possible. * Applying a Defense-in-Depth concept can help to reduce the probability that untrusted code is run on the system. Siemens recommends to apply the Defense-in-Depth concept: https://www.siemens.com/industrialsecurity GENERAL SECURITY RECOMMENDATIONS ================================ As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity PRODUCT DESCRIPTION =================== SIMATIC Industrial PCs are the PC hardware platform for PC-based Automation from Siemens. The SIMATIC S7-1500 MFP CPUs provide functionality of standard S7-1500 CPUs with the possibility to run C/C++ Code within the CPU-Runtime for execution of own functions / algorithms implemented in C/C++ and an additional second independent runtime environment to execute C/C++ applications parallel to the STEP 7 program if required. SIMOTION is a scalable high performance hardware and software system for motion control. SINUMERIK CNC offers automation solutions for the shop floor, job shops and large serial production environments. SINUMERIK Panel Control Unit (PCU) offers HMI functionality for SINUMERIK CNC controllers. SINUMERIK Thin Client Unit (TCU) offers HMI functionality for SINUMERIK CNC controllers. SIPLUS extreme products are designed for reliable operation under extreme conditions and are based on SIMATIC, LOGO!, SITOP, SINAMICS, SIMOTION, SCALANCE or other devices. SIPLUS devices use the same firmware as the product they are based on. VULNERABILITY CLASSIFICATION ============================ The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/. * Vulnerability CVE-2018-12126 Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. CVSS v3.1 Base Score: 6.5 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor * Vulnerability CVE-2018-12127 Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. CVSS v3.1 Base Score: 6.5 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor * Vulnerability CVE-2018-12130 Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. CVSS v3.1 Base Score: 6.5 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor * Vulnerability CVE-2019-11091 Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. CVSS v3.1 Base Score: 3.8 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:P/RL:O/RC:C CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor ACKNOWLEDGMENTS =============== Siemens thanks the following parties for their efforts: * Artem Zinenko from Kaspersky for pointing out that SIPLUS should also be mentioned ADDITIONAL INFORMATION ====================== For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories HISTORY DATA ============ V1.0 (2019-07-09): Publication Date V1.1 (2019-08-13): Updated link for SIMATIC IPCs 427D, 477D, 627D, 627E, 647D, 647E, 677D, 677E, 827D, 847D, 847E and FieldPG M6 V1.2 (2019-09-10): Updates for FieldPG M4, FieldPG M5 and ITP1000 V1.3 (2019-11-12): Updates for SIMOTION P320-4E, SIMOTION P320-4S and SIMATIC IPC547G V1.4 (2019-12-10): Updates for SIMATIC IPC2X7E, SIMATIC IPC327E, SIMATIC IPC377E, and SIPLUS devices now explicitly mentioned in the list of affected products V1.5 (2020-02-11): Updates for SIMATIC IPC547E, SIMATIC IPC347E, and SIMATIC IPC3000 SMART V2 V1.6 (2020-03-10): Updates for SIMATIC IPC127E, and SIMATIC IPC527G V1.7 (2020-12-08): Remove wrong MLFB from SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP and Updates for SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP TERMS OF USE ============ Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEElTRCLAVwzKf/b8X80/SB6hFKr+QFAl/OwgAACgkQ0/SB6hFK r+SnDBAAqd3jZSmJUP+F2MRyRDzcjx4OWSFPL0V4E40H8Smd4+dZOrd2w1bjPG/e //AEH80PxtdbRxKHwX3qjxcDOE8QvmWe3IciaO8f+qT5Oy/IBlmCt9dDh/yVy3e8 2SjyskaR4t1WkctXvXSsv9VWPggN2X9WkpFPNiqse7HYR4ne++pPFp5BwAYwrxIk wIf2G3wgcacMsoR8A3Do0g2wNGxtBSpMLqjESSGCdSJvOe7nG4rv1zTehR3AEFbc FagMA7WX5Hn4+EUBxd7U+EHjFwTb1EF5Y1aqadt5RCUCYGQbxonMzWK58P4U+Afi k1VFpCooLGFEa0NLttXC4lrJ6v3t/oAI6doUaJOoRyhhTHYpBsWxEx39pPJJsLmT EyaDPe4iL7VbuwehNBhY2amW+DumPzsTZpQG0q65k2yeeRoU174flTBAkguaLmDQ 0Etk8tE9edgm562H978f3glGeAMkB4zi8HG+A+b9AUfhtPZAlNi/+k72dOEqqFRJ PnvmFGl2KUt0gMoJq/lj3RqW+8X7h7WYcqjVGh0eV5njX9y2zqYCo7V4WpaG7yr5 FcELXpEPxAVIkteTLvTn7c2vB5UWSEgFVsH6b3HRvsu7LxkzOEfDXcXXzFD8d5aY OCji8EnUSwIPFyT/ZNqTEz4XFUIEwCAcewaO5xIK25pJHia6GQQ= =qge9 -----END PGP SIGNATURE-----