CVE-2022-38773

Name of the Vulnerable Software and Affected Versions Siemens SIMATIC S7-1500 CPU Family (affected versions not specified)

Description The issue is related to the absence of an Immutable Root of Trust in Hardware, which prevents the validation of code integrity during load-time. An attacker with physical access to the device could replace the boot image and execute arbitrary code. This could allow the attacker to bypass protected boot functions, modify the controller's working code and data. The problem is caused by architectural issues affecting Siemens Simatic and Siplus S7-1500 processors. It is estimated that over 100 device models are potentially affected. To exploit this issue, physical access to the target device is required, although it is noted that an attacker could use another Remote Code Execution vulnerability to deploy malicious firmware on the device.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a mitigation measure, ensure that physical access to the device is restricted to trusted personnel. New hardware versions have been released that address the issue on some affected processors, while others are in development.