VDB
ICSA-23-222-09
ICSA-23-222-09
PUBLISHED
CVSS 5.900000095367432 MEDIUM
Several SIMATIC products are affected by a timing based side channel vulnerability in the OpenSSL RSA Decryption (CVE-2023-4304), as disclosed on 2023-02-07 at https://www.openssl.org/news/secadv/20230207.txt. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Risk Scores
CVSS v3.1
5.900000095367432
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| SIMATIC ET 200pro IM 154-8F PN/DP CPU (6ES7154-8FB01-0AB0) | ||
| SIMATIC ET 200pro IM 154-8 PN/DP CPU (6ES7154-8AB01-0AB0) | ||
| SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00) | ||
| SIMATIC Process Historian 2019 OPC UA Server | ||
| SIMATIC ET 200pro IM 154-8FX PN/DP CPU (6ES7154-8FX00-0AB0) | ||
| SIMATIC PDM V9.1 | ||
| SIMATIC Process Historian 2022 OPC UA Server | ||
| SIMATIC ET 200S IM 151-8F PN/DP CPU (6ES7151-8FB01-0AB0) | ||
| SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00) | ||
| SIMATIC S7-300 CPU 314C-2 PN/DP (6ES7314-6EH04-0AB0) | ||
| SIMATIC Process Historian 2020 OPC UA Server | ||
| SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) | ||
| SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0) | ||
| SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0) | ||
| SIMATIC ET 200S IM 151-8 PN/DP CPU (6ES7151-8AB01-0AB0) | ||
| SIMATIC PDM V9.2 | ||
| SIMATIC Logon V1.6 |
Timeline
- Aug 8, 2023 CVE Published
- May 6, 2025 CVE Updated
References
- https://cert-portal.siemens.com/productcert/csaf/ssa-264814.json advisory
- https://cert-portal.siemens.com/productcert/html/ssa-264814.html advisory
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2023/icsa-23-222-09.json advisory
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-222-09 advisory
- https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01 url
- https://www.cisa.gov/resources-tools/resources/ics-recommended-practices url
- https://www.cisa.gov/topics/industrial-control-systems url
- https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf url
- https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf url
- https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B url
- https://support.industry.siemens.com/cs/ww/en/view/109822278/ fix
- https://support.industry.siemens.com/cs/ww/en/view/109478459/ fix
- https://support.industry.siemens.com/cs/ww/en/view/109825230/ fix
- https://support.industry.siemens.com/cs/ww/en/view/109976907/ fix
- https://support.industry.siemens.com/cs/ww/en/view/109821388 fix
- https://support.industry.siemens.com/cs/ww/en/view/109812242/ fix
- https://support.industry.siemens.com/cs/ww/en/view/40360647/ fix
- https://support.industry.siemens.com/cs/ww/en/view/40362228/ fix
- https://support.industry.siemens.com/cs/ww/en/view/44442927/ fix
- https://support.industry.siemens.com/cs/ww/en/view/44443101/ fix
…and 11 more