Full Report
The products listed below contain a vulnerability that could allow an attacker to perform an out-of-bound read, potentially leading to information disclosure or denial of service of the TPM. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Out-of-Bounds Read in Siemens TPM 2.0 Implementations
## CVE Details
- **CVE ID:** CVE-2025-2884
- **CVSS Score:** 6.6 (Medium)
- **CWE:** CWE-125 (Out-of-bounds Read)
## Affected Systems
- **SIMATIC CN 4100:** All versions with Hardware versions < FS 05.
- **SIMATIC Field PG:** Models M5 and M6 (All versions).
- **SIMATIC IPC227E / IPC277E:** All versions.
- **SIMATIC IPC427E / IPC477E / IPC477E PRO:** All versions < V21.01.20.
- **SIPLUS IPC427E:** All versions < V21.01.20.
- **SIMATIC IPC627E / IPC647E / IPC677E / IPC847E:** All versions.
- **SIMATIC IPC BX-32A / BX-39A:** All versions < V29.01.09.
- **SIMATIC IPC PX-39A / PX-39A PRO:** All versions < V29.01.09.
## Vulnerability Description
The vulnerability exists within the Trusted Computing Group (TCG) TPM2.0 reference implementation, specifically in the `CryptHmacSign` helper function. The flaw is caused by a lack of proper validation between the requested signature scheme and the signature key's algorithm. This oversight allows an attacker to trigger an out-of-bounds read.
## Exploitation
- **Status:** PoC availability or active exploitation not specified in the advisory (Standard TCG vulnerability).
- **Complexity:** Low
- **Attack Vector:** Local (Requires local access to the system to interact with the TPM).
- **User Interaction:** Required (UI:R).
## Impact
- **Confidentiality:** High (Potential for information disclosure from TPM memory).
- **Integrity:** None.
- **Availability:** High (Potential for Denial of Service of the TPM component).
## Remediation
### Patches
Siemens has released updates for specific IPC models. Users are encouraged to update to the following versions or later:
- **SIMATIC IPC427E / IPC477E (incl. PRO) / SIPLUS IPC427E:** Update to **V21.01.20**.
- **SIMATIC IPC BX-32A / BX-39A / PX-39A (incl. PRO):** Update to **V29.01.09**.
- **SIMATIC CN 4100:** Migrate to Hardware version **FS 05**.
### Workarounds
For products where no fix is currently available (e.g., Field PG M5/M6, IPC627E series, etc.):
- Follow general industrial security operational guidelines.
- Restrict physical and local access to affected devices to authorized personnel only.
- Monitor vendor advisories for future firmware releases.
## Detection
- **Indicators of Compromise:** Unusual TPM instability or unauthorized attempts to access cryptographic sign functions via local processes.
- **Detection methods:** Audit local logs for hardware errors related to the TPM; utilize vulnerability scanners to identify Siemens hardware running older BIOS/firmware versions.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-628843[.]html
- **Siemens Industrial Security Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security
- **TCG Advisory:** hxxps://trustedcomputinggroup[.]org/wp-content/uploads/VRT0009-Advisory-FINAL[.]pdf
- **Siemens Support Portal:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109763408/