Foreshadow and its derivatives, which allow unintended reads of the most isolated and secure microprocessor memory, are as ubiquitous as modern Intel chips. Operational technology (OT) systems, including many in the Siemens industrial and automation portfolios, incorporate the vulnerable chips.

Foreshadow Vulnerabilities and Timeline

On August 14, 2018, Intel took part in the coordinated disclosure of three side channel L1 cache read vulnerabilities in their low–level software, to which they were alerted in January of 2018. The Foreshadow vulnerability (a.k.a. L1 Terminal Fault or L1TF) and its corresponding attack vector were revealed confidentially by a number of independent academic and private researchers the day Spectre and Meltdown were announced publicly. After the disclosure, Intel built upon their methods to find two other deep flaws in their products’ secure memory handling. On October 9, 2018 — nearly two months after the vulnerabilities’ disclosure — Siemens enumerated its affected systems.

Exploitation of these issues requires local user access to the operating system (or host operating system in the case of virtual machines), as well as a high degree of exploiter sophistication, according to Intel. As of the publishing of this post, there are no known instances of malicious exploitation of these flaws, but proofs of concept have been produced and are likely to be made public as soon as the parties involved are comfortable doing so.

Foreshadow CVEs

The CVE IDs are CVE–2018–3615, CVE-2018-3620, and CVE-2018-3646. All three have been rated as “high severity” by Siemens (7.9/10, 7.1/10, and 7.1/10 respectively). The vulnerabilities are identified in the Skybox® Intelligence Feed as SBV–91639, SBV-91650, and SBV-91651.

Siemens Products Affected by Foreshadow

The following Siemens products are affected:

  • RUGGEDCOM Application Processing Engine
  • RUGGEDCOM RX1400 Virtual Processing Engine
  • SIMATIC ET 200 SP Open Controller
  • SIMATIC Field PG M4 and M5 programming devices
  • SIMATIC S7-1518-4 PN/DP Multifunction Platform
  • SIMATIC S7-1500 Software Controller
  • SIMOTION P320-4E and P320-4S motion control PCs
  • SINUMERIK CNC devices: 840D sl, PCU 50.5 panel control unit, TCU 30.3 thin client unit and control panels with integrated TCU
  • SIMATIC industrial PCs: IPC227E, IPC277E, IPC3000 SMART V2, IPC327E, IPC347E, IPC377E, IPC427C, IPC427D, IPC477D, IPC427E, IPC477E, IPC477E Pro, IPC477C, IPC547E, IPC547G, IPC627C, IPC627D, IPC647C, IPC647D, IPC677C, IPC677D, IPC827C, IPC827D, IPC847C, IPC847D and ITP1000

Foreshadow Patch and Mitigation

Intel is working on microcode mitigations, which have already shipped for many of their processors. In their October 9 advisory, Siemens began releasing specific BIOS remediations for a fraction of their industrial PC models, promising more to come as they are developed. Incremental release of firmware updates is true to Siemens form (with case in point being delivery of their latest batch of Spectre patches, which coincided with the Foreshadow advisory). Both manufacturer and vendor are quick to remind customers that updates at the software and OS levels are required to obviate the vulnerability, but that defense–in–depth remains the best practice to protect sensitive assets.

Challenges in OT

Often times in OT environments where devices vulnerable for Foreshadow exist, active scanning is prohibited. Thus it’s imperative to have passive, scanless assessment capabilities to identify vulnerabilities anywhere in your network, merging results with those from scanless assessments elsewhere in the organization as well as active scans. By automatically gathering and merging this information on a regular basis, organizations will have comprehensive vulnerability occurrence list accessible on demand.

Making time to apply patches in OT networks that require constant uptime is another major security management challenge. What’s more, many OT devices are legacy, end–of–life technology and no longer supported — or patched — by their vendor. Unauthorized updates could also void vendor warranties.

That’s why it’s so important to be able to understand network–based patching alternatives to mitigate risk when patches can’t be installed. Changing ACL rules, configurations or IPS signatures could mean the difference between a vulnerability and a damaging breach.

 

Learn more about how Skybox can help unify your IT and OT security management to reduce cyber risk anywhere in your organization.

 

Resources

TSMC WannaCry Hits OT Plants with a Hefty Price Tag: The TSMC WannaCry attack is yet another reminder in the constant vigilance of vulnerability management — and the effect it can have on your bottom line

Spectre Reemerges With Two New Variants: The Intel chip-level flaw is back with two new variants, Spectre 1.1 and 1.2, with some patches available