Non-Unique TLS Certificate Vulnerability in SIMATIC IPC Products by Siemens
CVE-2023-23588

6.2MEDIUM

Key Information:

Vendor: Siemens
Status: Simatic Ipc1047; Simatic Ipc1047e; Simatic Ipc647d; Simatic Ipc647e
Vendor: CVE Published:; 11 April 2023

What is CVE-2023-23588?

A significant vulnerability exists in the SIMATIC IPC series, specifically affecting devices with the Adaptec Maxview application. The issue stems from the use of a non-unique TLS certificate across installations, which could allow a local attacker to intercept and decrypt traffic between the browser and the application. This vulnerability can lead to man-in-the-middle attacks, enabling the modification of in-transit data, posing serious risks to data integrity and confidentiality.

Affected Version(s)

SIMATIC IPC1047 All versions

SIMATIC IPC1047E All versions with maxView Storage Manager < 4.09.00.25611 on Windows

SIMATIC IPC647D All versions

References

https://cert-portal.siemens.com/productcert/pdf/ssa-51118...

CVSS V3.1

Score:

6.2

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 11, 2023
Vulnerability Reserved
Jan 13, 2023