PatchSiren cyber security CVE debrief
CVE-2022-2097 Siemens CVE debrief
CVE-2022-2097 is a cryptographic vulnerability in OpenSSL's AES OCB mode implementation on 32-bit x86 platforms using AES-NI assembly optimizations. Under specific conditions, the implementation fails to encrypt the entirety of data, potentially exposing sixteen bytes of preexisting memory content. In 'in place' encryption scenarios, this could reveal sixteen bytes of plaintext. The vulnerability does not affect TLS or DTLS protocols, as OpenSSL does not support OCB-based cipher suites for these protocols. Siemens has identified this vulnerability as affecting multiple SIMATIC and SIPLUS industrial communication processors, with firmware updates available to address the issue.
- Vendor
- Siemens
- Product
- SIMATIC CP 1542SP-1 (6GK7542-6UX00-0XE0)
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-06-11
- Original CVE updated
- 2024-06-11
- Advisory published
- 2024-06-11
- Advisory updated
- 2024-06-11
Who should care
Organizations operating Siemens SIMATIC CP 1542SP-1, CP 1542SP-1 IRC, CP 1543SP-1, or SIPLUS ET 200SP communication processors in industrial control environments. Security teams responsible for OT/ICS infrastructure, particularly those using cryptographic operations on affected platforms. Compliance officers tracking cryptographic vulnerabilities in industrial systems.
Technical summary
The vulnerability exists in OpenSSL's AES OCB (Offset Codebook) mode implementation specifically optimized for 32-bit x86 platforms using AES-NI (Advanced Encryption Standard New Instructions) assembly code. The AES-NI optimized path contains a flaw where incomplete data encryption occurs under certain conditions, resulting in a 16-byte block of data remaining unencrypted. This exposes either preexisting memory contents or, in the case of in-place encryption operations, actual plaintext data. The vulnerability is confined to the specific assembly implementation and does not affect the generic C implementation or other architectures. TLS and DTLS protocols are explicitly unaffected as OpenSSL does not implement OCB mode cipher suites for these protocols. Siemens has confirmed six affected product variants across SIMATIC CP and SIPLUS ET 200SP product families, with remediation through firmware version 2.3 or later.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-supplied firmware updates to version 2.3 or later for affected Siemens SIMATIC CP 1542SP-1, CP 1542SP-1 IRC, CP 1543SP-1, and SIPLUS ET 200SP communication modules
- Verify current firmware versions on affected industrial communication processors and prioritize updates based on network exposure
- Review network segmentation for affected industrial control systems to limit exposure of vulnerable devices
- Monitor Siemens ProductCERT security advisories for additional guidance on SSA-625862
- Assess whether affected devices process sensitive data using AES-OCB mode encryption on 32-bit x86 platforms
Evidence notes
The vulnerability was disclosed in CISA advisory ICSA-24-165-10 on June 11, 2024, which references Siemens Security Advisory SSA-625862. The affected products are industrial communication modules used in Siemens SIMATIC and SIPLUS ET 200SP systems. The CVSS 3.1 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and low confidentiality impact.
Official resources
-
CVE-2022-2097 CVE record
CVE.org
-
CVE-2022-2097 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-06-11