Red Balloon Security researchers have discovered a potentially serious unpatched vulnerability affecting many Siemens PLC models.

Having an average severity rating of CVE-2022-38773 can allow an attacker to bypass the functions of secure boot, change the working code and data of the controller.

According to the Red Balloon Security resellers, the error is caused by architectural problems affecting the Siemens Simatic and Siplus S7-1500 processors.

The specialized Siemens SoC system does not install RoT during the early boot process, causing the absence of asymmetric signature checks for all stages of the bootloader and firmware before execution.

The inability to install Root of Trust on the device allows attackers to download a modified bootloader and firmware - to perform and bypass the functions of protection against unauthorized access and integrity checks on the device.

According to Red Balloon, an attacker can decrypt the firmware of affected PLCs and create their own bootable malicious firmware on more than 100 device models.

Physical access to the target PLC is required to exploit the vulnerability. However, as the researchers noted, a hacker can use another RCE vulnerability to deploy malicious firmware on the device.

Siemens informed customers about the vulnerability, recommending that measures be taken to ensure that only trusted personnel have access to physical equipment.

At the same time, the manufacturer has separately notified customers that the vulnerability cannot be fixed with a firmware update and no fixes are planned to date. 

New hardware versions have been released that fix the problem on some affected processors, the remaining ones are under development.