As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY
- CVSS v3 6.5
- ATTENTION: Low Attack Complexity
- Vendor: Siemens
- Equipment: SIMATIC Field PG and SIMATIC IPC
- Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an authenticated local user to potentially read other users’ data.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following products of Siemens, are affected:
- SIMATIC Field PG M6: All Versions
- SIMATIC IPC BX-39A: All Versions
- SIMATIC IPC PX-39A: All Versions
- SIMATIC IPC PX-39A PRO: All Versions
- SIMATIC IPC RW-543A: All Versions
- SIMATIC IPC627E: All Versions
- SIMATIC IPC647E: All Versions
- SIMATIC IPC677E: All Versions
- SIMATIC IPC847E: All Versions
3.2 Vulnerability Overview
3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2022-40982 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).