Full Report
Insyde has published information on vulnerabilities in Insyde BIOS in February 2022. This advisory lists the Siemens Industrial products affected by these vulnerabilities. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Insyde BIOS Vulnerabilities in Siemens Industrial Products
## CVE Details
- **CVE ID:** Multiple (including CVE-2020-27339, CVE-2021-33625, CVE-2021-41837, CVE-2021-41838, CVE-2021-41839, CVE-2021-43613, and others).
- **CVSS Score:** 8.4 (High) - [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H]
- **CWE:** CWE-20 (Improper Input Validation), SMM Callout vulnerabilities.
## Affected Systems
- **Products:**
- RUGGEDCOM APE1808 (BIOS)
- SIMATIC Field PG (M5 and M6 variants)
- SIMATIC IPC Series (127E, 227G, 277G, 327G, 377G, 427E, 477E, 477E PRO, 627E, 647E, 677E, 847E)
- SIMATIC ITP1000
- **Versions:**
- RUGGEDCOM APE1808: All versions < V1.0.202N
- SIMATIC Field PG M5: All versions < V22.01.10
- SIMATIC Field PG M6: Versions prior to fix release in V1.9 advisory update.
- **Configurations:** Systems utilizing Insyde BIOS firmware within the specified Siemens industrial hardware.
## Vulnerability Description
The advisory addresses multiple flaws within the Insyde BIOS firmware. A primary technical concern identified is an **SMM (System Management Mode) callout vulnerability**. This occurs due to improper input validation, allowing an attacker to hijack the execution flow of code running in SMM—a highly privileged execution environment on x86 systems. If exploited, the flaw permits the execution of arbitrary code with SMM privileges, which are deeper than standard kernel-level (Ring 0) permissions.
## Exploitation
- **Status:** No reports of exploitation in the wild mentioned; however, the technical details for these types of BIOS flaws are well-documented in the security community.
- **Complexity:** Low (once local access is gained).
- **Attack Vector:** Local (Requires local access to the operating system to trigger the BIOS/SMM calls).
## Impact
- **Confidentiality:** High (Access to all system memory and data).
- **Integrity:** High (Ability to modify firmware and bypass secure boot).
- **Availability:** High (Potential to brick the device or cause permanent denial of service).
## Remediation
### Patches
Siemens recommends updating to the latest BIOS versions for the following:
- **RUGGEDCOM APE1808:** Update to V1.0.202N or later.
- **SIMATIC Field PG M5:** Update to V22.01.10 (Note: CVE-2021-43613 remains excluded in V22.01.11).
- **SIMATIC IPC127E:** Fix available as of V1.8 update.
- **SIMATIC IPC627E / 647E / 677E / 847E:** Update to versions fixing CVE-2021-43613 as per V1.9 (April 2025).
### Workarounds
- **Minimize Local Access:** Since the vector is local, restrict physical and administrative access to affected devices.
- **Trusted Transitions:** Ensure only trusted software is run with administrative privileges to prevent the triggering of malicious SMM calls.
- **Defense-in-Depth:** Implement Siemens' recommended security practices for industrial environments.
## Detection
- **Indicators of Compromise:** Unexpected firmware modifications or unauthorized changes to BIOS settings.
- **Detection methods and tools:** Use firmware integrity checking tools (e.g., CHIPSEC) to verify the state of SMM and BIOS regions against known good baselines.
## References
- **Vendor Advisory:** SSA-306654
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories
- **Insyde Security Pledge:** hxxps://www[.]insyde[].com/security-pledge
- **RUGGEDCOM Upgrade Tool:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109814796/