Full Report
Intel has published information on vulnerabilities in Intel products in June 2021. This advisory lists the related Siemens Industrial products affected by these vulnerabilities that can be patched by applying the corresponding BIOS update. In this advisory we summarize: “2021.1 IPU – Intel® CSME, SPS and LMS Advisory” Intel-SA-00459, “2021.1 IPU – BIOS Advisory” Intel-SA-00463, “2021.1 IPU – Intel® Processor Advisory” Intel-SA-00464, and “2021.1 IPU - Intel Atom® Processor Advisory” Intel-SA-00465. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Intel IPU 2021.1 Side-Channel and BIOS Flaws in Siemens Industrial Products
## CVE Details
This advisory covers several vulnerabilities. The most prominent include:
- **CVE-2020-24513**
- **CVSS Score:** 5.6 (Medium)
- **CWE:** CWE-311 (Missing Encryption of Sensitive Data)
- **CVE-2020-8670**
- **CVSS Score:** 2.8 (Low)
- **CWE:** CWE-311 (Missing Encryption of Sensitive Data)
- **CVE-2020-24512, CVE-2020-24511, CVE-2020-24507, CVE-2020-24506, CVE-2020-8704, CVE-2020-8703, CVE-2020-12357** (Scores vary by product context).
## Affected Systems
- **Products:** A wide range of Siemens Industrial Computing and Control platforms, including:
- SIMATIC Drive Controllers (CPU 1504D/1507D TF)
- SIMATIC ET 200SP Open Controllers
- SIMATIC Field PG (M5, M6)
- SIMATIC IPCs (127E, 347G, 427E, 477E, 527G, 547G)
- SINUMERIK CNC systems (ONE NCU, 828D, MC MCU)
- **Versions:** Multiple versions prior to the 2021–2024 BIOS update cycles.
- **Configurations:** Systems utilizing Intel CSME, SPS, LMS, and specific Intel Atom or Core processors.
## Vulnerability Description
The advisory addresses multiple technical flaws released as part of Intel's June 2021 Intel Platform Update (IPU). Technical highlights include:
- **Domain-bypass Transient Execution (CVE-2020-24513):** A flaw in certain Intel Atom processors where hardware/microcode fails to properly encrypt or isolate sensitive data during speculative execution, potentially allowing an attacker to read data across security boundaries.
- **Information Disclosure (CVE-2020-8670):** Similar side-channel vulnerabilities in various Intel processors allowing unauthorized data observation.
- **BIOS/Firmware Vulnerabilities:** Flaws in Intel CSME (Consumer Security Engine) and BIOS implementations that could lead to escalation of privilege or denial of service.
## Exploitation
- **Status:** Proof of Concept (PoC) available for some side-channel attacks; no broad "in the wild" exploitation reported for these specific Siemens implementations at the time of publication.
- **Complexity:** High (Requires sophisticated knowledge of side-channel analysis or local access).
- **Attack Vector:** Local (Most vulnerabilities require the attacker to have authenticated local access to the operating system).
## Impact
- **Confidentiality:** High (Transient execution flaws allow reading of unauthorized memory).
- **Integrity:** Medium/Low (Depending on specific BIOS flaw impact).
- **Availability:** Low (Potential for system instability during exploitation).
## Remediation
### Patches
Siemens has released BIOS updates for the majority of affected products. Users should update to the following or later versions:
- **SIMATIC ET 200SP PC2:** BIOS V02.09.01.05
- **SIMATIC Field PG M5:** BIOS V22.01.10
- **SIMATIC Field PG M6:** BIOS V26.01.08
- **SIMATIC IPC127E:** BIOS V27.01.07
- **SIMATIC IPC347G:** BIOS V01.04
- **SIMATIC IPC527G:** BIOS V02.01.08
### Workarounds
For products where no fix is planned (e.g., SIMATIC Drive Controller, IPC547G, SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP):
- Implement strict local access controls.
- Ensure only trusted software is executed on the systems.
- Follow the Siemens Operational Technology (OT) security "Defense-in-Depth" concept.
## Detection
- **Indicators of Compromise:** Unusual processor performance overhead; unauthorized attempts to access kernel memory or BIOS settings.
- **Detection methods:** Standard forensic analysis of OS logs for unauthorized privilege escalation; utilizing vendor-specific firmware verification tools.
## References
- Siemens Security Advisory SSA-309571: hxxps://cert-portal.siemens.com/productcert/pdf/ssa-309571.pdf
- Intel-SA-00459, Intel-SA-00463, Intel-SA-00464, Intel-SA-00465
- Siemens ProductCERT: hxxps://www.siemens.com/cert/advisories