Full Report
Several Intel-CPU based SIMATIC IPCs are affected by an information exposure vulnerability (CVE-2022-40982) in the CPU that could allow an authenticated local user to potentially read other users’ data [1]. The issue is also known as “Gather Data Sampling” (GDS) or Downfall Attacks. For details refer to the chapter “Additional Information”. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available. [1] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html
Analysis Summary
# Vulnerability: Information Disclosure in Intel CPUs Affecting SIMATIC IPCs (Gather Data Sampling/Downfall)
## CVE Details
- CVE ID: CVE-2022-40982
- CVSS Score: 6.5 (Medium)
- CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
## Affected Systems
- Products: SIMATIC Field PG M6, SIMATIC IPC627E, SIMATIC IPC647E, SIMATIC IPC677E, SIMATIC IPC847E, SIMATIC IPC1047, SIMATIC IPC1047E, SIMATIC IPC BX-39A, IPC PX-39A, IPC PX-39A PRO. (Note: The vulnerability is rooted in the underlying Intel CPU architecture.)
- Versions:
- SIMATIC Field PG M6: All versions < V26.01.11
- SIMATIC IPC627E / IPC647E / IPC677E / IPC847E: All versions < V25.02.14 (specific to the product configurations mentioned)
- SIMATIC IPC1047: All versions (No fix currently planned)
- SIMATIC IPC1047E: All versions < V4.2
- SIMATIC IPC BX-39A / IPC PX-39A / IPC PX-39A PRO: All versions < V29.01.04
- Configurations: Requires the affected hardware (Intel CPUs) and an authenticated local user context.
## Vulnerability Description
CVE-2022-40982, also known as Gather Data Sampling (GDS) or Downfall Attacks, is an information exposure vulnerability residing in specific vector execution units of vulnerable Intel Processors. It arises from speculative execution side-effects. An **authenticated local user** can exploit this flaw to potentially read sensitive data belonging to other users or processes residing on the same system.
## Exploitation
- Status: Exploitation information is not explicitly detailed as "in the wild," but Intel advisories typically rate GDS as exploitable given the prerequisite. PoC availability exists for GDS generally, though not confirmed specifically via Siemens channels for these IPCs.
- Complexity: Low (due to Local access requirement)
- Attack Vector: Local
## Impact
- Confidentiality: High (Potential to read other users' data)
- Integrity: Neutral (No direct modification mentioned)
- Availability: Neutral (No direct impact mentioned)
## Remediation
### Patches
Siemens has released firmware/software updates for several affected SIMATIC IPC models:
- **SIMATIC Field PG M6**: Update to V26.01.11 or later.
- **SIMATIC IPC627E / IPC647E / IPC677E / IPC847E**: Update to V25.02.14 or later.
- **SIMATIC IPC1047E**: Update to V4.2 or later.
- **SIMATIC IPC BX-39A / IPC PX-39A / IPC PX-39A PRO**: Update to V29.01.04 or later.
- **SIMATIC IPC1047**: Currently, no fix is planned.
### Workarounds
Specific countermeasures are recommended for products where fixes are not yet available (or for the SIMATIC IPC1047 where no fix is planned). Users must refer to the "Workarounds and Mitigations" section of the official Siemens advisory SSA-981975 for detailed mitigation strategies (e.g., CPU microcode updates or configuration changes).
## Detection
- Detection methods focus on monitoring for unusual CPU activity patterns associated with side-channel attacks, though specific IOCs for this vulnerability are not provided in the summary excerpt.
- Mitigation often relies on applying Intel microcode updates, usually delivered via BIOS/UEFI or operating system patches, which address the root cause in the CPU hardware implementation.
## References
- Vendor Advisories: SSA-981975 (Siemens)
- Related Intel Advisory: intel-sa-00828
- GDS Documentation: intel-com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling-html
- Downfall Attacks Information: downfall-page/