exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Siemens LOGO! 8 Missing Authentication

Siemens LOGO! 8 Missing Authentication
Posted May 29, 2019
Authored by Matthias Deeg, Manuel Stotz | Site syss.de

Due to storing passwords in a recoverable format on Siemens LOGO! 8 PLCs, an attacker can gain access to configured passwords as cleartext.

tags | exploit
advisories | CVE-2019-10919
SHA-256 | 95e944e33b6b49156158226e4700374427c35dfaaa04a226bf39cb8debb11f9a

Siemens LOGO! 8 Missing Authentication

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2019-013
Product: LOGO!
Manufacturer: Siemens
Affected Version(s): LOGO! 8 (all versions)
Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03
Vulnerability Type: Missing Authentication for Critical Function (CWE-306)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-04-04
Solution Date: 2019-05-14 (recommended mitigation by manufacturer)
Public Disclosure: 2019-05-29
CVE Reference: CVE-2019-10919
Authors of Advisory: Manuel Stotz (SySS GmbH), Matthias Deeg (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Siemens LOGO! is a programmable logic controller (PLC) for small
automation tasks.

The manufacturer describes the product as follows (see [1]):

"Simple installation, minimum wiring, user-friendly programming: You can
easily implement small automation projects with LOGO!, the intelligent
logic module from Siemens. The LOGO! Logic Module saves space in the
control cabinet, and lets you easily implement functions, such as
time-delay switches, time relays, counters and auxiliary relays. "

Due to storing passwords in a recoverable format on LOGO! 8 PLCs, an
attacker can gain access to configured passwords as cleartext.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SySS GmbH found out that the provided function "GetProfile" of a LOGO! 8
PLC that is for instance used by the software tool LOGO! Soft Comfort
does not require any authentication.

Thus, an attacker can send a "GetProfile" query to a LOGO! 8 PLC and
will receive the requested profile information containing sensitive
data such as different configured passwords.

This profile data is encrypted - but it is encrypted via 3DES using a
static, hard-coded cryptographic key, which is described in the SySS
security advisory SYSS-2019-012 [2]. So, by knowing this 3DES key, an
attacker can simply decrypt all sensitive data and use the contained
cleartext passwords (see SySS security advisory SYSS-2019-014 [3]) in
further attacks.

Furthermore, SySS GmbH found out that the provided function for setting
password data on a LOGO! 8 PLC can also be used without any
authentication. Therefore, an attacker can simply set arbitrary
passwords by sending a specific request to the LOGO! 8 PLC via the
network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

SySS GmbH could successfully extract sensitive data such as configured
passwords as cleartext from a LOGO! 8 using a developed Nmap script.

The following Nmap output exemplarily shows extracting cleartext
password data from a LOGO! 8 PLC:

$ nmap -p 10005 --script slig.nse 192.168.10.112
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-04 09:35 CEST
Nmap scan report for 192.168.10.112
Host is up (0.00044s latency).

PORT STATE SERVICE
10005/tcp open stel
| slig: Gathered Siemens LOGO!8 access details and passwords
| User: LSCUser
| Password: S3cret1
| Enabled: True
| User: AppUser
| Password: S3cret2
| Enabled: True
| User: WebUser
| Password: S3cret3
| Enabled: True
| User: TDUser
| Password: S3cret4
| Enabled: True
| Protection: Password
| Program password: SECRET
|_MMC serial: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

A successful attack against a LOGO! 8 extracting all configured
passwords is demonstrated in our SySS PoC video [7].

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

In the publicly released Siemens Security Advisory SSA-542701 [3],
the manufacturer Siemens recommends to apply a defense-in-depth concept,
including protection concept outlined in the system manual, as a
mitigation for reducing the risk of the described security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-04-04: Vulnerability reported to manufacturer
2019-04-04: Manufacturer confirms receipt of security advisory and
asks for referenced Nmap script
2019-04-04: SySS provides PoC Nmap script
2019-05-14: Public release of Siemens Security Advisory SSA-542701
2019-05-29: Public release of SySS security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Siemens LOGO!
https://new.siemens.com/global/en/products/automation/systems/industrial/plc/logo.html
[2] SySS Security Advisory SYSS-2019-012
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-012.txt
[3] SySS Security Advisory SYSS-2019-014
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-014.txt
[4] SySS Security Advisory SYSS-2019-013
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-013.txt
[5] Siemens Security Advisory SSA-542701
https://cert-portal.siemens.com/productcert/pdf/ssa-542701.pdf
[6] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/
[7] SySS Proof-of-Concept Video "Siemens LOGO! 8 PLC Password Hacking"
https://youtu.be/TpH4EABGYCs

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Manuel Stotz of SySS GmbH.

E-Mail: manuel.stotz (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc
Key fingerprint = F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAlztdrYACgkQ2aS/ajSt
TavHlQ//YulVlc5iY79/lC2bjZ2X0Pelm9XQypoF57jaw2k2wajcsFThTLzTWQcV
tqVSEsPGujUwHDH3Rv8zGqYg2F9SN9UmQWwzKAkeJXOms1QreXShVmy7Nry5N/Hj
D9fbDlKCtCs0AtO0DBhmuzU/SGmtG7r9Y5gMME2N/6vz/73Q9m4dbh0qwnfHPuGV
nm+gpk6Yj0cF+W8ABWqYrcFBMrVW2fekoEHIWM4asXbVQIp7vK9mz0e0N7+g3mDQ
hdQBSbS33fI+ogLeMIMK3XFfkSs+Qaqbktp8URVTph6t81e5ieJZi4+aByxHUBJe
U85xkmm0XIx+xU+AkXn1o1dNw/VLtEo4p3oX3MEDvdm6OZlggJTf3fQ3RqIErbAH
s+io1YqLFxGyNRR0Pm2SjjnKZMaUe4pWtXajLDmCNEIcpfXP7NAtF8OLcW/Ap0X+
cJKKyg1Ko0vREvm+FF4kwjl6XzIc6ZCqN+v18t+1IVQGTN6Wt3KUqewYAk7fBwS6
9khelke73n5KJIsG8vN48+16+B52oPAkmHoLBiy+QCfih/3h89sHx1nA6fL1Ig/e
z/WuTeRCfR3USispPEpk5WHMORpl/QGGuqmcxaqLfFLHXB3h/XhyKHCMK05N6U7t
YfZSAGDgpCHETx6mADQVAlw8M5KEI8gXcopINBcx5aRvcYcV3Qg=
=ga4S
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close