Full Report
SIMATIC S7-1200 CPU V2 devices contain an insufficiently protected private key used for the Certificate Authority (CA) for HTTPS connections. Possession of this key could allow remote attackers to spoof the device’s web server by creating a forged web server certificate. Siemens recommends specific countermeasures for products where fixes are not, or not yet available. Refer to the chapter Additional Information for more details.
Analysis Summary
# Vulnerability: Insecure Storage of HTTPS CA Certificate in SIMATIC S7-1200 CPU V2
## CVE Details
- **CVE ID:** CVE-2012-3037
- **CVSS Score:**
- CVSS v4.0: **9.1 (Critical)**
- CVSS v3.1: **7.4 (High)**
- **CWE:** CWE-321 (Use of Hard-coded Cryptographic Key)
## Affected Systems
- **Products:**
- SIMATIC S7-1200 CPU V2 family
- SIPLUS S7-1200 CPU V2 variants (based on SIMATIC firmware)
- **Versions:** All versions of the V2 hardware family.
- **Configurations:** Systems where the user has manually trusted the integrated "SIMATIC CONTROLLER" Certificate Authority (CA) in their web browser.
## Vulnerability Description
The affected devices utilize an integrated Certificate Authority (CA) to facilitate HTTPS connections. The private key associated with this CA is insufficiently protected (effectively hard-coded or extractable). Because this key is shared across the V2 product line, an attacker who possesses the private key can generate fraudulent web server certificates. If a user has installed the "SIMATIC CONTROLLER" CA into their browser's trusted root store, the browser will automatically trust any malicious certificate signed by that compromised key.
## Exploitation
- **Status:** PoC available (demonstrated by external researchers).
- **Complexity:** Low (CVSS 4.0 assessment) / High (CVSS 3.1 assessment).
- **Attack Vector:** Network. The flaw allows for Man-in-the-Middle (MitM) attacks and device spoofing.
## Impact
- **Confidentiality:** High (Attackers can intercept and decrypt HTTPS traffic).
- **Integrity:** High (Attackers can spoof the web interface and provide false data or commands).
- **Availability:** None.
## Remediation
### Patches
- **No fix planned:** Siemens has indicated that no firmware updates are planned for the S7-1200 V2 family to address this specific architectural flaw.
### Workarounds
- **Uninstall CA Keys:** Immediately remove the "SIMATIC CONTROLLER" CA certificate from the certificate store of any web browsers used to manage these PLCs.
- **Manual Verification:** After removing the CA, users should manually inspect and accept the individual self-signed certificate for each PLC.
- **Network Segmentation:** Protect network access to the devices and ensure they operate within a protected industrial environment (following Siemens' operational guidelines).
## Detection
- **Indicators of Compromise:** Unusual certificate warnings if the browser's store has been cleaned, or the presence of the "SIMATIC CONTROLLER" root CA in unexpected environments.
- **Detection Methods:** Audit browser certificate stores on engineering workstations for the "SIMATIC CONTROLLER" CA. Monitor for unexpected Man-in-the-Middle artifacts in network traffic directed at PLC management ports.
## References
- Siemens Security Advisory SSA-240718: hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-240718.pdf
- Siemens Industrial Security Guidelines: hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security
- Siemens ProductCERT: hxxps://www.siemens[.]com/cert/advisories