Full Report
Multiple vulnerabilities has been identified in Siemens SIMATIC IPCs, SIMATIC Tablet PCs, and SIMATIC Field PGs that can allow an authenticated attacker to alter the secure boot and password configurations. Siemens has released new versions of BIOS for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: EFI Variable Protection Failure in Siemens SIMATIC Devices
## CVE Details
- **CVE ID:** CVE-2024-56181, CVE-2024-56182
- **CVSS Score:** 8.2 (High) [v3.1] / 8.4 (High) [v4.0]
- **CWE:** CWE-693: Protection Mechanism Failure
## Affected Systems
- **Products:**
- SIMATIC Field PG (M5, M6)
- SIMATIC IPC family (IPC127E, IPC227E, IPC227G, IPC277G, IPC277G PRO, IPC327G, IPC377G)
- SIMATIC Tablet PCs (based on BIOS architecture)
- **Versions:**
- **Field PG M6:** All versions < V26.01.12
- **IPC227G / 277G / 327G:** All versions < V28.01.14
- **Field PG M5, IPC127E, IPC227E:** All versions (currently no fix available/planned for older hardware)
- **Configurations:** Systems utilizing EFI (Extensible Firmware Interface) variables for security enforcement.
## Vulnerability Description
The affected Siemens devices suffer from insufficient protection mechanisms for EFI variables stored in the flash memory. An authenticated attacker can bypass standard BIOS/UEFI security abstractions and communicate directly with the flash controller.
- **CVE-2024-56181:** Focuses on the unauthorized alteration of the **Secure Boot** configuration.
- **CVE-2024-56182:** Focuses on the unauthorized disabling of the **BIOS password**.
## Exploitation
- **Status:** Not reported as exploited in the wild (as of advisory date); PoC not publicly disclosed in the provided text.
- **Complexity:** Low (Technical knowledge of flash controller communication is required, but once known, the execution is straightforward).
- **Attack Vector:** Local (Requires local access to the system).
- **Privileges Required:** High (Attacker must be authenticated with administrative/high-level privileges).
## Impact
- **Confidentiality:** High (Ability to bypass BIOS passwords facilitates data access).
- **Integrity:** High (Ability to modify Secure Boot and BIOS settings allows firmware-level persistence and unauthorized OS loading).
- **Availability:** High (Modification of low-level flash settings can lead to system instability or denial of service).
## Remediation
### Patches
Siemens recommends updating to the following BIOS versions (or later):
- **SIMATIC Field PG M6:** Update to **V26.01.12**
- **SIMATIC IPC227G / IPC277G / IPC327G:** Update to **V28.01.14**
- **SIMATIC IPC RW-543B / RC-543B:** Refer to latest fix versions added in V1.3 of the advisory.
### Workarounds
For products where no fix is currently available (e.g., IPC227E, IPC127E):
- Restrict physical access to the device to prevent direct hardware manipulation.
- Implement strict "Principle of Least Privilege" to ensure only trusted users have administrative access.
- Use additional disk encryption (e.g., BitLocker) that relies on TPM rather than just BIOS passwords.
## Detection
- **Indicators of Compromise:** Unexplained changes in Secure Boot status (Disabled/Setup Mode) or the sudden removal of BIOS power-on/setup passwords.
- **Detection Methods:** Audit EFI variable integrity using firmware analysis tools or Siemens-provided diagnostic utilities. Monitor system logs for unauthorized hardware-level configuration changes.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-216014.pdf
- **Siemens Industrial Security:** hxxps://www.siemens[.]com/industrialsecurity
- **Siemens ProductCERT:** hxxps://www.siemens[.]com/cert/advisories