Full Report
Several SIMATIC products are affected by a type confusion vulnerability relating to OpenSSL X.400 address processing (CVE-2023-0286), as disclosed disclosed on 2023-02-07 at https://www.openssl.org/news/secadv/20230207.txt. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Type Confusion in OpenSSL X.400 Address Processing (Siemens SIMATIC)
## CVE Details
- **CVE ID:** CVE-2023-0286
- **CVSS Score:** 7.4 (High)
- **CWE:** CWE-20 (Improper Input Validation) / Type Confusion
## Affected Systems
- **Products:**
- SIMATIC Drive Controller family (CPU 1504D TF, etc.)
- SIMATIC S7-1200 CPU family (including SIPLUS variants)
- SIMATIC S7-1500 CPU family (including ET200 CPUs, Software Controllers, and SIPLUS variants)
- SIMATIC IPC DiagBase & DiagMonitor
- SIMATIC S7-PLCSIM Advanced
- SIMATIC ET 200SP Open Controller
- **Versions:**
- S7-1200: All versions < V4.7
- S7-1500 CPU 1510SP F-1 PN: All versions < V2.9.7
- Drive Controller CPU 1504D TF: Versions V3.0.1 and V30.0.0 < V30.1.0
- IPC DiagBase/DiagMonitor: All versions
- **Configurations:** Systems where CRL (Certificate Revocation List) checking is enabled (specifically the `X509_V_FLAG_CRL_CHECK` flag).
## Vulnerability Description
A type confusion flaw exists in the OpenSSL `GENERAL_NAME_cmp` function. The public structure definition for `GENERAL_NAME` incorrectly defined the `x400Address` field as `ASN1_TYPE` instead of `ASN1_STRING`. When comparing X.400 addresses during CRL checking, the engine misinterprets the data type. This allow an attacker to pass arbitrary pointers to a `memcmp` call.
## Exploitation
- **Status:** PoC available (Proof of Concept)
- **Complexity:** High (Requires the attacker to provide or influence both the certificate chain and the CRL, or exploit rare configurations where X.400 addresses are already present as CRL distribution points).
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Potential to read arbitrary memory contents)
- **Integrity:** None
- **Availability:** High (Potential for Denial of Service via application crash)
## Remediation
### Patches
- **SIMATIC S7-1200:** Update to V4.7 or later.
- **SIMATIC S7-1500 CPU 1510SP F-1 PN:** Update to V2.9.7 or later.
- **SIMATIC Drive Controller V30:** Update to V30.1.0 or later.
- **SIMATIC S7-PLCSIM Advanced:** See Siemens advisory for specific version updates.
### Workarounds
- **No Fix Planned:** For SIMATIC IPC DiagBase and DiagMonitor, no fixes are currently scheduled.
- **General Mitigation:**
- Disable CRL checking if not strictly required.
- Limit network access to affected industrial components using firewalls or VLANs.
- Follow Siemens' general security recommendations for operational technology (OT) environments.
## Detection
- **Indicators of Compromise:** Unusual memory read patterns or unexpected crashes in services handling X.509 certificates/CRLs.
- **Detection methods:** Vulnerability scanners that identify outdated OpenSSL libraries (specifically those prior to the February 2023 patches) within the firmware of the listed Siemens devices.
## References
- **Siemens Advisory:** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-264815.html
- **OpenSSL Security Advisory:** hxxps://www.openssl[.]org/news/secadv/20230207.txt
- **Siemens ProductCERT:** hxxps://www.siemens[.]com/cert/advisories