Full Report
Intel has published information on vulnerabilities in Intel products in November 2022. This advisory lists the related Siemens Industrial products affected by these vulnerabilities that can be patched by applying the corresponding BIOS update (“2022.3 IPU – BIOS Advisory” Intel-SA-00688). Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Intel 2022.3 IPU BIOS TOCTOU Race Condition in Siemens Industrial Products
## CVE Details
- **CVE ID:** CVE-2022-21198
- **CVSS Score:** 7.9 (High)
- **CWE:** CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition)
## Affected Systems
- **Products:** SIMATIC Field PG and SIMATIC Industrial PC (IPC) families.
- **Versions:**
- **SIMATIC Field PG M5:** Versions prior to V22.01.11
- **SIMATIC Field PG M6:** Versions prior to V26.01.11
- **SIMATIC IPC BX-39A / PX-39A / PX-39A PRO:** Versions prior to V29.01.03
- **SIMATIC IPC427E / IPC477E / IPC477E PRO:** Versions prior to V21.01.19
- **SIMATIC IPC627E / IPC647E / IPC677E / IPC847E:** See advisory for specific BIOS update versions.
- **Configurations:** Systems utilizing affected Intel processors requiring the 2022.3 Intel Platform Update (IPU).
## Vulnerability Description
A technical flaw exists in the BIOS firmware of certain Intel processors where a race condition occurs between the time a security check is performed and the time the result of that check is used (TOCTOU). This specific logic error allows an attacker to bypass intended security boundaries within the firmware environment.
## Exploitation
- **Status:** Not currently reported as exploited in the wild; PoC status not explicitly stated but vulnerability is well-documented by Intel (Intel-SA-00688).
- **Complexity:** Low
- **Attack Vector:** Local (Requires authenticated access to the system).
- **Privileges Required:** High (The attacker must already possess administrative or elevated privileges on the local machine).
## Impact
- **Confidentiality:** None
- **Integrity:** High (Allows for unauthorized modification of firmware-level data/settings).
- **Availability:** High (Can be used to render the system unstable or result in a Denial of Service).
- **Scope:** Changed (The impact can extend beyond the immediate software component to the underlying hardware/firmware).
## Remediation
### Patches
Siemens recommends updating affected products to the following versions (or later):
- **Field PG M5:** V22.01.11
- **Field PG M6:** V26.01.11
- **IPC BX-39A / PX-39A Series:** V29.01.03
- **IPC427E / IPC477E Series:** V21.01.19
### Workarounds
For products where patches are not yet available or cannot be immediately applied:
- **Restrict Access:** Limit physical and local administrative access to the affected devices to trusted personnel only.
- **Operational Guidelines:** Adhere to Siemens' operational guidelines for Industrial Security and ensure the environment follows the principle of least privilege.
## Detection
- **Indicators of Compromise:** Non-standard or unauthorized BIOS/Firmware configuration changes.
- **Detection Methods:** Audit local account privileges to ensure only authorized users have the "High" privilege level required for exploitation. Use asset management tools to verify BIOS versions against the fixed versions listed above.
## References
- **Siemens Advisory:** hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-686975.pdf
- **Intel Security Advisory:** hxxps://www.intel[.]com/content/www/us/en/security-center/advisory/intel-sa-00688.html
- **Siemens Industrial Security Guidelines:** hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security