Siemens SIMATIC Products BIOS Password Bypass Vulnerability via EFI Variable Manipulation

A vulnerability exists in various Siemens SIMATIC products, including Field PG M5, Field PG M6, IPC BX-21A, BX-32A, BX-39A, BX-59A, PX-32A, PX-39A, PX-39A PRO, IPC RC-543B, IPC RW-543A, IPC127E, IPC227E, IPC227G, IPC277E, IPC277G, IPC277G PRO, IPC3000 SMART V3, IPC327G, IPC347G, IPC377G, IPC427E, IPC477E, IPC477E PRO, IPC527G, IPC627E, IPC647E, IPC677E, IPC847E, and ITP1000, all versions. The vulnerability arises from inadequate protection of EFI (Extensible Firmware Interface) variables, allowing an authenticated attacker to disable the BIOS password without authorization by directly communicating with the flash controller.

Impact

Exploitation of this vulnerability could lead to unauthorized disabling of the BIOS password, allowing for potential bypass of BIOS security features.

Remediation

Siemens has released new BIOS versions for several affected products. For products where a fix is not yet available, it is recommended to restrict access to root or administrator permissions on the operating system. Specific product remediations can be found in the Siemens Security Advisory SSA-216014.