SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Claroty reveals new cryptographic key extraction method
Fri, 14th Oct 2022
FYI, this story is more than a year old

Claroty's Team82 has developed a new, innovative method to extract heavily guarded, hardcoded, global private cryptographic keys embedded within the Siemens SIMATIC S7-1200/1500 PLC and TIA Portal product lines.

CVE-2022-38465 has been assigned and has a CVSS criticality score of 9.3.

Claroty says a malicious actor can use these keys to carry out multiple advanced attacks against Siemens SIMATIC devices and the related TIA Portal while bypassing all four of its access level protections and causing irreparable damage from the compromise.

Further, an attacker can develop an independent Siemens SIMATIC client (without needing the TIA Portal) and conduct complete upload/download procedures, man-in-the-middle attacks, as well as intercept and decrypt passive OMS+ network traffic.

Siemens has released new versions of the affected PLCs and engineering workstation in response to these findings that address this vulnerability, and Claroty urges users to update immediately.

In addition, this has led to the Siemens introducing a new TLS management system in TIA Portal v17, ensuring that configuration data and communications between Siemens PLCs and engineering workstations is encrypted and confidential.

This finding comes after the Claroty research team (Team82) found seven vulnerabilities in Dataprobe's iBoot-PDU, the company's intelligent power distribution unit product.

Power distribution units (PDUs) are common devices found in industrial environments, data centres and other places where power supplies have to be near rack-mounted equipment.

Team82's findings show that an attacker would be able to exploit the vulnerabilities in Dataprobe's offering remotely, either through a direct web connection to the device or through the cloud.

It adds that this would lead to an unauthenticated remote code execution.

Citing additional recent research by Censys, Claroty says this showed over 2,000 PDUs are exposed to the internet, with 31% of these being Dataprobe devices.

The company also notes that carrying out an attack on a remotely exploitable vulnerability in a PDU component platform positions the attacker very close to being able to interfere with vital services by cutting off electric power to the device and, therefore, anything that is plugged into it.

Dataprobe has addressed these vulnerabilities in a new version update. Users are urged to update to Version 1.42.06162022 as soon as possible.

Dataprobe also recommends users disable SNMP, telnet, and HTTP, if not in use, to mitigate some of these vulnerabilities.

ICS-CERT has issued an advisory as well.

Exclusive Networks, a global cybersecurity specialist for digital infrastructure, also recently signed a partnership with Claroty.

The partnership will see Exclusive Networks provide Claroty's cybersecurity solutions across the industrial, healthcare, and commercial environments in key APAC markets, including Indonesia, Malaysia, Philippines, Singapore, Thailand, Brunei, Vietnam, Laos, Cambodia, Australia, New Zealand, India and Hong Kong.