Patched Deserialization Flaw in Siemens Product Allows RCE
The Siemens Simatic Energy Manager Used an Unsafe BinaryFormatter MethodResearchers detailed a deserialization vulnerability in Siemens software used to monitor energy consumption in industrial settings and attributed the flaw to the German conglomerate's decision to use a programming method that has known security risks.
Siemens patched the vulnerability, tracked as CVE-2022-23450 two years ago - time enough, researchers last week at Claroty said, for Siemens customers to have applied patches ahead of a detailed explanation of the flaw, which they discovered.
"Even though many think deserialization vulnerabilities are a thing of the past, we still see them pop up every now and then," Claroty said. Programs serialize and deserialize structured data when transporting it across a network. If hackers insert malicious instructions into a data object before serialization, they can obtain remote code execution over the computer that deserializes the byte stream, assuming countermeasures aren't in place.
Countermeasures were not in place in the Siemens Simatic Energy Manager, software that uses a proprietary messaging protocol to communicate data about plant energy usage from a web server to a user application.
The Claroty researchers reverse-engineered the messaging protocol and found a message type containing the phrase BinaryFormatter
. Behind the scenes, Simatic Energy Manager is a Microsoft .NET application. Its programmers used the .NET BinaryFormatter class for object serialization and deserialization. Microsoft in 2020 cautioned developers not to use that class, and in 2023 the company warned that the "method is never safe when used with untrusted input."
Microsoft and cyber defenders have known about deserialization risks in BinaryFormatter since at 2012, when a researcher presented a paper on it at the Black Hat conference. In 2016, Microsoft removed BinaryFormatter from the .NET platform, only to return it due to the lack of a clear alternative. Microsoft deprecated the format last November.
What made BinaryFormatter so popular is also why ultimately Microsoft had to turn it off. The class "does not sanitize the types of classes it deserializes, instead it has the ability to create arbitrary classes," Claroty said. Company researchers created a malicious serialized class that forced the Simatic Energy Manager into deserializing the code "even before we authenticated, meaning this remote code execution vulnerability does not require us to bypass authentication checks."
Any Siemens customer that runs a version of the Energy Manager that's numbered below V.73 Update 1 is still vulnerable to the attack. The vulnerability carries a score of 10 - the maximum possible - on the CVSS scale.