Full Report
28 industrial solutions by Siemens are affected by vulnerabilities in Intel ME, SPS and TXE technologies. The vendor has released patches for all of these products and made these patches available on its website
Analysis Summary
# Vulnerability: Intel ME, SPS, and TXE Vulnerabilities in Siemens Industrial Solutions
## CVE Details
*Note: This summary covers the primary vulnerabilities identified in the Intel-SA-00086 advisory affecting Siemens products.*
* **CVE ID:** CVE-2017-5705, CVE-2017-5706, CVE-2017-5707, CVE-2017-5708, CVE-2017-5709, CVE-2017-5710, CVE-2017-5711, CVE-2017-5712
* **CVSS Score:** Up to 8.2 (High)
* **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-73 (External Control of File Name or Path)
## Affected Systems
* **Products:** 28 Siemens Industrial Product lines including:
* SIMATIC Industry PCs (IPCs)
* SIMATIC Field PG (Programming Devices)
* SIMATIC S7-1500 Software Controllers
* SIMATIC WinAC RTX (F)
* SINUMERIK CNC systems (828D, 840D sl)
* SIMOTION P320
* **Versions:** Performance-based hardware utilizing Intel Management Engine (ME) versions 11.x; Server Platform Services (SPS) 4.0; and Trusted Execution Engine (TXE) 3.0.
* **Configurations:** Products with Intel Active Management Technology (AMT) enabled or hardware utilizing specific Intel Atom, Apollo Lake, and Core processors.
## Vulnerability Description
The flaws reside in the firmware of Intel’s Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE). Specifically, multiple buffer overflows and privilege escalation vulnerabilities exist in the microkernel and firmware modules. These allow an attacker with administrative access (or physical access, depending on the specific CVE) to execute arbitrary code within the highly privileged subsystem, which operates independently of the main OS.
## Exploitation
* **Status:** Not known to be exploited in the wild at the time of the advisory; PoC scripts for detecting vulnerability status were released by Intel.
* **Complexity:** Medium to High
* **Attack Vector:** Local or Network (Network vector applies specifically to systems with Intel AMT enabled).
## Impact
* **Confidentiality:** High (Access to data processed by the CPU and ME)
* **Integrity:** High (Ability to modify system firmware or intercept communications)
* **Availability:** High (Potential for system instability or "bricking" the hardware)
## Remediation
### Patches
Siemens has released BIOS/Firmware updates for all 28 affected product lines.
* **SIMATIC IPC227E / IPC277E:** Update to BIOS v21.01.08
* **SIMATIC IPC427D / IPC477D:** Update to BIOS v19.01.07
* **SIMATIC Field PG M5:** Update to BIOS v22.01.04
* Users should visit the Siemens ProductCERT portal to download product-specific BIOS updates.
### Workarounds
* Disable Intel AMT in the BIOS/ME settings if not required for remote management.
* Restrict local administrative access to industrial PCs.
* Implement strict network segmentation to prevent access to Management Engine interfaces from untrusted networks.
## Detection
* **Indicators of compromise:** Unauthorized system reboots, unexpected changes in BIOS settings, or unexplained network traffic from the management interface.
* **Detection methods and tools:** Use the "Intel-SA-00086 Detection Tool" provided by Intel to determine if the local system is vulnerable.
## References
* Siemens ProductCERT: hxxps[://]www[.]siemens[.]com/cert/en/advisories.htm
* Intel Security Advisory SA-00086: hxxps[://]www[.]intel[.]com/content/www/us/en/security-center/advisory/intel-sa-00086[.]html
* Kaspersky ICS CERT: hxxps[://]ics-cert[.]kaspersky[.]com/publications/2018/03/01/siemens-industrial-solutions-are-affected-by-vulnerabilities-in-intel-me-sps-and-txe-technologies/