Lack of Immutable Root of Trust in Siemens Devices
CVE-2022-38773

4.6MEDIUM

Key Information:

Vendor: Siemens
Status: Simatic Drive Controller Cpu 1504d Tf; Simatic Drive Controller Cpu 1507d Tf; Simatic S7-1500 Cpu 1510sp F-1 Pn; Simatic S7-1500 Cpu 1510sp-1 Pn
Vendor: CVE Published:; 10 January 2023

What is CVE-2022-38773?

The vulnerability arises from the absence of an Immutable Root of Trust in the hardware of specific Siemens devices. This oversight prevents the validation of code integrity during the device's load-time. An attacker with physical access could exploit this flaw by replacing the boot image, thus executing arbitrary code, compromising device security.

Affected Version(s)

SIMATIC Drive Controller CPU 1504D TF 0

SIMATIC Drive Controller CPU 1507D TF 0

SIMATIC S7-1500 CPU 1510SP F-1 PN 0

References

https://cert-portal.siemens.com/productcert/pdf/ssa-48275...

https://cert-portal.siemens.com/productcert/html/ssa-4827...

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Physical

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 10, 2023
Vulnerability Reserved
Aug 26, 2022