Full Report
SIMOTION contains an information disclosure vulnerability that could allow an unauthenticated attacker to extract confidential technology object (TO) configuration from the device. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Information Disclosure in Siemens SIMOTION
## CVE Details
- **CVE ID:** CVE-2023-27465
- **CVSS Score:** 4.6 (Medium)
- **CVSS Vector:** CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- **CWE:** CWE-213 (Exposure of Sensitive Information Due to Incompatible Policies)
## Affected Systems
- **Products:**
- SIMOTION C240 (6AU1240-1AA00-0AA0)
- SIMOTION D (Multiple variants including D410-2, D425-2, D435-2, D445-2, D455-2)
- SIMOTION P320-4 (6AU1320-4DS66-3AG0)
- **Versions:** Affected products running versions prior to V5.5 (specifically cited across versions >= V5.4 and < V5.5).
- **Configurations:** Devices operated with "Security Level Low" (e.g., Service Selector Switch in position 8).
## Vulnerability Description
When a SIMOTION device is configured with "Security Level Low," it fails to adequately protect access to specific services intended for debugging purposes. An unauthenticated attacker with the appropriate access can exploit this lack of restriction to extract confidential Technology Object (TO) configuration data directly from the device.
## Exploitation
- **Status:** PoC available (indicated by CVSS "E:P" flag).
- **Complexity:** Low
- **Attack Vector:** Physical (An attacker must have physical access to the device or the local hardware interface).
## Impact
- **Confidentiality:** High (Successful exploitation allows unauthorized extraction of sensitive configuration data).
- **Integrity:** None
- **Availability:** None
## Remediation
### Patches
- **SIMOTION Software:** Update to V5.5 or later.
- **Legacy Hardware:** For certain specific older modules (C240, D445-2, P320-4 S), no fix is currently planned; users must rely on workarounds/mitigations.
### Workarounds
- **Configuration Hardening:** Avoid using "Security Level Low" in production environments. Ensure the Service Selector Switch is not in position 8.
- **Access Control:** Restrict physical access to the device to authorized personnel only.
- **Operational Guidelines:** Adhere to Siemens’ operational guidelines for Industrial Security.
## Detection
- **Indicators of Compromise:** Unusual debugging service activity or unauthorized access to the hardware's physical service ports.
- **Detection methods and tools:** Audit physical security logs and periodically check hardware switch positions on SIMOTION units to ensure they remain in a secure state rather than the "Service" (Low Security) position.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-482956[.]pdf
- **Siemens Industrial Security:** hxxps://www[.]siemens[.]com/industrialsecurity
- **Operational Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security