Full Report
Affected models of the S7-1500 CPU product family do not contain an Immutable Root of Trust in Hardware. With this the integrity of the code executed on the device can not be validated during load-time. An attacker with physical access to the device could use this to replace the boot image of the device and execute arbitrary code. As exploiting this vulnerability requires physical tampering with the product, Siemens recommends to assess the risk of physical access to the device in the target deployment and to implement measures to make sure that only trusted personnel have access to the physical hardware. The vulnerability is related to the hardware of the product. Siemens has released new hardware versions for several CPU types of the S7-1500 product family in which this vulnerability is fixed and is working on new hardware versions for remaining PLC types to address this vulnerability completely. See the chapter “Additional Information” below for more details. For more information please also refer to the related product support article: https://support.industry.siemens.com/cs/ww/en/view/109816536/.
Analysis Summary
# Vulnerability: Missing Immutable Root of Trust in SIMATIC S7-1500 CPUs
## CVE Details
- **CVE ID:** CVE-2022-38773
- **CVSS Score:** 4.6 (Medium)
- **CVSS Vector:** CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
- **CWE:** CWE-1326: Missing Immutable Root of Trust in Hardware
## Affected Systems
- **Products:**
- SIMATIC S7-1500 CPU family (including ET200 CPUs and SIPLUS variants)
- SIMATIC Drive Controller family
- **Versions:** All hardware versions preceding the newly released fixed hardware iterations.
- **Configurations:** Devices deployed in areas where physical access is possible.
## Vulnerability Description
Affected models of the S7-1500 CPU product family lack an **Immutable Root of Trust (RoT)** in the hardware. Because the RoT is missing, the device cannot perform a secure boot process to validate the integrity of the code during load-time. This architectural flaw allows an attacker to bypass signature verification of the boot image.
## Exploitation
- **Status:** Not currently reported as exploited in the wild; PoC not publicly linked in advisory.
- **Complexity:** Low (Technical execution is straightforward once physical access is gained).
- **Attack Vector:** Physical (Requires physical tampering with the product hardware).
## Impact
- **Confidentiality:** Low (Potential access to device data/configuration).
- **Integrity:** **High** (Attacker can replace the boot image and execute arbitrary code).
- **Availability:** Low (Device operation may be interrupted or permanently altered).
## Remediation
### Patches
This vulnerability is inherent to the hardware design and **cannot be fixed via software or firmware updates**. Siemens has released new hardware versions for several CPU types. Users must replace existing modules with these specific hardware versions to resolve the flaw:
* CPU 1511-1 PN (6ES7511-1AL03-0AB0)
* CPU 1513-1 PN (6ES7513-1AM03-0AB0)
* CPU 1515-2 PN (6ES7515-2RM03-0AB0)
* CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0)
* CPU 1518-3 PN (6ES7518-3AT10-0AB0)
* *(Refer to the full advisory for the complete list of 20+ replacement hardware models).*
### Workarounds
For legacy hardware where replacement is not immediately feasible:
- Implement strict physical security measures to ensure only trusted personnel can access the hardware.
- Assess the risk of physical tampering within the specific deployment environment.
- Follow Siemens' "Operational Guidelines for Industrial Security."
## Detection
- **Indicators of Compromise:** Detection of physical tampering (broken seals, unusual port connections).
- **Detection methods:** There are no automated software-based detection methods for an altered boot image due to the lack of the Root of Trust; physical inspection and secure chain-of-custody are the primary defenses.
## References
- **Siemens Security Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-482757[.]pdf
- **Product Support Article:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109816536/
- **Siemens CERT Advisories:** hxxps://www[.]siemens[.]com/cert/advisories