Siemens CP-XXXX Series Exposed Serial Shell

`SEC Consult Vulnerability Lab Security Advisory < 20240524-0 >  
=======================================================================  
title: Exposed Serial Shell on multiple PLCs  
product: Siemens CP-XXXX Series (CP-2014, CP-2016, CP-2017, CP-2019, CP-5014)  
vulnerable version: All hardware revisions  
fixed version: Hardware is EOL, no fix  
CVE number: -  
impact: Low  
homepage: https://www.siemens.com  
found: ~2023-06-01  
by: Steffen Robertz (Office Vienna)  
Gerhard Hechenberger (Office Vienna)  
Constantin Schieber-Knöbl (Office Vienna)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"We are a technology company focused on industry, infrastructure,  
transport, and healthcare. From more resource-efficient factories,  
resilient supply chains, and smarter buildings and grids, to cleaner  
and more comfortable transportation as well as advanced healthcare,  
we create technology with purpose adding real value for customers."  
  
Source: https://new.siemens.com/global/en/company/about.html  
  
  
Business recommendation:  
------------------------  
The hardware is no longer produced nor offered to the market. Hence  
HW adaptions resulting in modified products are not possible anymore.  
The described HW behavior on this generation of devices cannot be  
corrected by means of FW patches.  
  
The risk of successful exploitation is considered low as physical access to  
those devices is needed.  
  
SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Exposed Serial Shell on multiple Siemens PLCs  
A serial interface can be accessed with physical access to the PCB. After  
connecting to the interface, access to a shell with various debug functions  
as well as a login prompt is possible.  
  
  
Proof of concept:  
-----------------  
1) Exposed Serial Shell on multiple Siemens PLCs  
  
* CP-2016 (Figure 1)  
The serial interface on the CP-2016 can be accessed by connecting to the  
following through hole pins of an unpopulated header:  
  
+-+  
|o|  
|o|RX  
|o|TX  
|o|  
|o|  
|o|GND  
+-+  
  
* CP-2019 (Figure 2)  
The serial interface on the CP-2019 can be accessed by connecting to the  
following through hole pins of an unpopulated header:  
  
+-+  
|o|  
|o|RX  
|o|TX  
|o|  
|o|  
|o|GND  
+-+  
  
* CP-2014 (Figure 3)  
The serial interface on the CP-2014 can be accessed by connecting to the  
following through hole pins of an unpopulated header:  
  
+-+  
|o|GND  
|o|  
|o|  
|o|RX  
|o|TX  
|o|  
+-+  
  
* CP-2017 (Figure 4)  
The serial interface on the CP-2017 can be accessed on the compute module  
by connecting to pins 9 and 10 on the populated SMD connector:  
  
1 TX RX  
'-'-'-'-'-'-'-'-'-'  
/-------------------\  
| |  
|-------------------|  
+'-'-'-'-'-'-'-'-'-'+  
11 20  
  
  
* CP-5014 (Figure 5)  
The serial interface on the CP-5014 can be accessed on the compute module  
by connecting to pins 1 and 2 on the populated SMD connector:  
  
RX TX 10  
'-'-'-'-'-'-'-'-'-'  
/-------------------\  
| |  
|-------------------|  
+'-'-'-'-'-'-'-'-'-'+  
11 20  
  
  
All serial connections allow access to the SH1703 shell in version 1.00.  
The shell requires no authentication and allows the usage of multiple  
commands.  
  
The following output can be seen on all devices:  
  
---------------------------------------------------  
XXXXX XXX XXX X XXXXX XXX XXX  
X X X X XXX X X X X X X  
X X X X X X X X  
XXXXX XXXXX X X X X XX  
X X X X X X X X  
X X X X X X X X X X  
XXXXX XXX XXX XXXXX X XXX XXX  
---------------------------------------------------  
  
1703 Shell [V1.00]  
(c) by 1703 Development Team  
  
type 'help' or '?' or press 'F1' for help  
  
SH1703>  
  
Initialize system ..  
. Init Done.  
  
system startup after Power-Up ...  
Install device 'USB Server'.  
  
RTC time not valid  
  
RTC time not valid  
  
RTC time not valid  
Reg: 100 Komp: 2 BSE: 20  
Hello from <R#100 / K#2 / BSE#2> FW-ID: 2019 FW-Version: 0.06A01  
Startup ZBGs ... done.  
  
system ready  
SH1703>help  
Available commands:  
hist Display command history  
!<n> Execute <n> command from stack  
? [<cmd>] Display this message  
help [<cmd>] Display this message  
echo <text> Displays text  
call <file> Run script file  
cls Clear screen  
loop <cmd> Loop-execution of cmd  
ldfile <file> Load ascii file  
db <a> [-b|w|d<x> [-n<x>]] Display memory byte/word/dword  
wb <a> <val> [-b|w|d<x>] Write memory byte/word/dword  
mb <a> [-b|w|d<x> [-n<x>]] Monitoring memory byte/word/dword  
login Login  
logoff Logoff  
pci ... PCI Commands  
bemrk Run Benchmark  
drv List installed drives  
dir List files in directory  
del [<drv:>]<file> Delete file  
ren <src> <dest> Rename or move file  
cd <dir>|<..> Change current directory or drive  
md <dir> Make directory  
rd <dir> Remove directory  
type [<drv:>]<file> Displays the contents of a file  
copy <src> <dest> Copy a file  
findstr <file> <str> Find a string in a textfile  
mkdisk <drvname> <size> Make a Ramdisk  
uidisk <drvname> Close and uninstall a disk  
format <drvname> Format drive  
mem_wr <addr> <size> <des> Write mem to file  
idr Read from diagnostic ring  
icr Clear diagnostic ring  
idd Debug-Trace ON  
bp Read all breakpoint settings  
bpf [<file>] Set File for Debugprint (no arg = stdout)  
is ... Debugger settings  
ig [f|s] Display BPs / Clear all BPs  
idb Read DB-Breaks  
idt Read DB-Trace Settings  
icz Clear breakpoint counters  
dev ... ZIO-Device commands  
bsp ... bsp commands  
ftrc ... FTRC Commands  
banner Display the banner  
pl Display process list  
pi [<appl_nr>] Display process info  
ad -c|d|k|s APP-Debug Create|Detach|Kill|Start  
tl Display task list (all processes)  
tm [-r] Display task monitor (-r = runtime)  
tc <taskname> Display task context  
td <taskID> Display task descriptor  
tq Display task queues  
sysztsk Display ZOS-tasks of system process  
appztsk [<appl_nr>] Display ZOS-tasks of appl-process(es)  
stack Display stack usage of all tasks  
stsk -c|d|e|s|r ZOS-Task Create|Del|Exch|Suspend|Resume  
tsktrc -s|r|c ZOS-Task-Trace Start|Read|Clear  
set [<name>=<val>] Display, set or remove environment variables  
time Display the current time  
timeset Set the current time  
mem Display memory usage  
status Display system status informations  
ver Display version informations  
r Reset system element (R,R Cxx,R Pxx,R Zxx  
klog [dis|ena|all] Display, disable or enable kernel logging  
psp_info Display prozessor configuration infos  
int_info Interrupt-Info-List  
int_gen Generate Interrupt (for Admin only)  
tlbs Display TLBs  
ga [<appl_nr>] Start Subshell of application  
tsd Debug Timeserver  
mci MCI Commands  
usb <cmd> USB commands  
mmc <cmd> MMC Commands  
zhs ZHS commands  
zpv Parameter infos  
zdt data transporter  
fsn ZIO/FSN statistics  
net <enet|emac|mal> <dev> Network statistics  
prd <pg> <reg> <len> Read PHY register (len: 8|16|32)  
pwr <pg> <reg> <len> <data> Write PHY register (len: 8|16|32)  
rmib Reset all statistic counters  
scfg Display broadcom switch registers  
ipaddr <dev> Display ip addresses on interface  
route Display routing table  
socket Display socket statistic  
tcp Display tcp statistic  
udp Display udp statistic  
arp Display arp cache  
ping host-ipaddr send ICMP ECHO_REQUEST to a host  
arl Switch Address Resolution table  
ebuf Statistic for Buffer handling FSN  
tls_ciph print cipher suites for all connections  
tls_obj idx print connection objects  
tls_log log level for tls lib  
tls_deb idx print connection debug cnts  
tlscache print cert/key cache  
opensslm print mem pool statistic for openssl  
tlsdeb_s START mem pool debug function  
tlsdeb_e END mem pool debug function  
tlsdeb_r print mem pool debug for openssl  
tlsdeb_c CLEAR mem pool debug function  
sap special application function  
Available Function-Keys:  
F1 Help  
F2 Display system status informations  
F3 Display Last command  
F5 Display the current time  
F7 History  
F8 Display memory usage  
F9 Display ZOS-Task Infos  
F10 Display Tasklist  
F11 Execute Last command  
SH1703>  
  
----------------------------------------  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested which were the latest version available  
at the time of the test:  
* CP-2016: CPCX26 V0.06A01  
* CP-2019: PCCX26 V0.06A01  
* CP-2014: CPCX25 V0.05A04  
* CP-2017: PCCX25 V0.11A10  
* CP-5056: CPCX55 V0.10A04  
  
  
Vendor contact timeline:  
------------------------  
2024-03-05: Contacting vendor through [email protected]  
2024-03-06: Siemens tracks this issue as case #04393  
2024-04-03: Requested status update.  
2024-04-03: Product is EOL, no fix planned.  
2024-04-29: Informed Siemens about planned publication of advisory.  
2024-04-30: Siemens, requests draft of advisory. Advisory is sent for review.  
2024-05-07: Siemens requested small changes in the Solution and Business  
Recommendation.  
2024-05-24: Public release of security advisory.  
  
  
Solution:  
---------  
The hardware is no longer produced nor offered to the market. Hence HW  
adaptions resulting in modified products are not possible anymore. The  
described HW behavior on this generation of devices cannot be corrected  
by means of FW patches.  
  
The risk of successful exploitation is considered low as physical access to  
those devices is needed.  
  
  
Workaround:  
-----------  
Make sure to strictly limit physical access to the PLC during and also  
after its life cycle.  
  
  
Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Steffen Robertz, Gerhard Hechenberger, Constantin Schieber-Knöbl / @2024  
  
`