Full Report
The Adaptec Maxview application shipped with affected SIMATIC IPCs contains a hard coded, non-unique certificate to secure HTTPS connections between the browser and the local Maxview configuration application. A local attacker may use this key to decrypt intercepted local traffic between the browser and the application and could perform a man-in-the-middle attack in order to modify data in transit. Adaptec has released updates for the affected products and recommends to update to the latest versions. Siemens recommends countermeasures for products where updates are not, or not yet available.
Analysis Summary
# Vulnerability: Hard-coded TLS Certificate in Adaptec Maxview for SIMATIC IPC
## CVE Details
- **CVE ID:** CVE-2023-23588
- **CVSS Score:** 6.2 (Medium)
- **CWE:** CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
## Affected Systems
- **Products:** SIMATIC IPC (Industrial PCs) utilizing Adaptec Maxview Storage Manager.
- **Versions:**
- **SIMATIC IPC647E, IPC847E, IPC1047E:** All versions using maxView Storage Manager < 4.09.00.25611 on Windows.
- **SIMATIC IPC647D, IPC847D, IPC1047:** All versions.
- **Configurations:** Systems using the default self-signed device X.509 certificate provided with the Maxview application.
## Vulnerability Description
The Adaptec Maxview application, which is bundled with several Siemens SIMATIC IPC models, utilizes a hard-coded, non-unique TLS certificate to secure HTTPS traffic between the local web browser and the Maxview configuration application. Because the private key associated with this certificate is static and identical across all installations, an attacker can obtain the key from the software distribution.
## Exploitation
- **Status:** PoC available (Exploitability classified as "Proof-of-Concept" in CVSS metrics).
- **Complexity:** Low.
- **Attack Vector:** Local (Requires the attacker to have local access to intercept traffic).
## Impact
- **Confidentiality:** High (Attacker can decrypt intercepted local traffic).
- **Integrity:** None reported in CVSS, though the summary notes potential for Man-in-the-Middle (MitM) to modify data in transit.
- **Availability:** None.
## Remediation
### Patches
Update **maxView Storage Manager** to version **4.09.00.25611** or later for the following models:
- SIMATIC IPC647E
- SIMATIC IPC847E
- SIMATIC IPC1047E
*Note: No fix is currently planned for "D" series models (IPC647D, IPC847D) or the IPC1047.*
### Workarounds
- **Certificate Replacement:** Manually replace the default self-signed X.509 certificate with a unique, trusted certificate generated specifically for the device.
- **General Hardening:** Follow Siemens' operational guidelines for Industrial Security to protect network access and operate in a protected IT environment.
## Detection
- **Indicators of Compromise:** Presence of the default Adaptec Maxview self-signed certificate in the browser or local certificate store.
- **Detection methods:** Security audits should check for the use of the default Maxview TLS certificate (shared across devices) on port 8443 or other ports used by the Maxview web interface.
## References
- Siemens Security Advisory: [https://cert-portal.siemens.com/productcert/pdf/ssa-511182.pdf](https://cert-portal.siemens.com/productcert/pdf/ssa-511182.pdf)
- Microsemi Support: [https://storage.microsemi.com/en-us/support/raid/sas_raid/asr-3151-4i/](https://storage.microsemi.com/en-us/support/raid/sas_raid/asr-3151-4i/)
- Siemens Industrial Security Guidelines: [https://www.siemens.com/cert/operational-guidelines-industrial-security](https://www.siemens.com/cert/operational-guidelines-industrial-security)