CVE-2022-3545 Siemens CVE debrief

Who should care

Organizations operating Siemens SIMATIC CP 1542SP-1, CP 1542SP-1 IRC, CP 1543SP-1, or SIPLUS ET 200SP communication processors in industrial automation environments. System integrators and OT security teams responsible for maintaining firmware in industrial control systems. Organizations utilizing IPsec functionality on affected Siemens network devices.

Technical summary

The vulnerability exists in the area_cache_get function of the Netronome NFP (Network Flow Processor) driver's core CPP (Chip Peripheral Port) implementation. The use-after-free condition in IPsec processing can be triggered through memory manipulation, potentially allowing local attackers to escalate privileges. The affected code path is in drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c. This kernel-level vulnerability propagates to Siemens industrial products that incorporate the vulnerable Netronome networking components.

Defensive priority

HIGH

Recommended defensive actions

• Apply vendor-provided firmware updates to version 2.3 or later for all affected Siemens SIMATIC CP 1542SP-1, CP 1542SP-1 IRC, CP 1543SP-1, and SIPLUS ET 200SP communication processor variants
• Verify firmware version through Siemens Industry Online Support portal before and after update deployment
• Implement network segmentation for industrial control systems to limit exposure of affected communication processors
• Monitor for anomalous IPsec-related activity or unexpected process behavior on affected devices
• Review and apply CISA ICS recommended practices for defense-in-depth strategies in industrial environments

Evidence notes

Vulnerability affects Linux Kernel Netronome NFP driver function area_cache_get in IPsec component. CISA advisory ICSA-24-165-10 and Siemens SSA-625862 provide coordinated disclosure. Six Siemens SIMATIC/SIPLUS communication processor products confirmed affected.

Official resources