Due to storing passwords in a recoverable format on Siemens LOGO! 8 PLCs, an attacker can gain access to configured passwords as cleartext.
Siemens LOGO! 8 Missing Authentication Vulnerability Product: LOGO! Manufacturer: Siemens Affected Version(s): LOGO! 8 (all versions) Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03 Vulnerability Type: Missing Authentication for Critical Function (CWE-306) Risk Level: High Solution Status: Open Manufacturer Notification: 2019-04-04 Solution Date: 2019-05-14 (recommended mitigation by manufacturer) Public Disclosure: 2019-05-29 CVE Reference: CVE-2019-10919 Authors of Advisory: Manuel Stotz (SySS GmbH), Matthias Deeg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Siemens LOGO! is a programmable logic controller (PLC) for small automation tasks. The manufacturer describes the product as follows (see ): "Simple installation, minimum wiring, user-friendly programming: You can easily implement small automation projects with LOGO!, the intelligent logic module from Siemens. The LOGO! Logic Module saves space in the control cabinet, and lets you easily implement functions, such as time-delay switches, time relays, counters and auxiliary relays. " Due to storing passwords in a recoverable format on LOGO! 8 PLCs, an attacker can gain access to configured passwords as cleartext. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: SySS GmbH found out that the provided function "GetProfile" of a LOGO! 8 PLC that is for instance used by the software tool LOGO! Soft Comfort does not require any authentication. Thus, an attacker can send a "GetProfile" query to a LOGO! 8 PLC and will receive the requested profile information containing sensitive data such as different configured passwords. This profile data is encrypted - but it is encrypted via 3DES using a static, hard-coded cryptographic key, which is described in the SySS security advisory SYSS-2019-012 . So, by knowing this 3DES key, an attacker can simply decrypt all sensitive data and use the contained cleartext passwords (see SySS security advisory SYSS-2019-014 ) in further attacks. Furthermore, SySS GmbH found out that the provided function for setting password data on a LOGO! 8 PLC can also be used without any authentication. Therefore, an attacker can simply set arbitrary passwords by sending a specific request to the LOGO! 8 PLC via the network. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): SySS GmbH could successfully extract sensitive data such as configured passwords as cleartext from a LOGO! 8 using a developed Nmap script. The following Nmap output exemplarily shows extracting cleartext password data from a LOGO! 8 PLC: $ nmap -p 10005 --script slig.nse 192.168.10.112 Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-04 09:35 CEST Nmap scan report for 192.168.10.112 Host is up (0.00044s latency). PORT STATE SERVICE 10005/tcp open stel | slig: Gathered Siemens LOGO!8 access details and passwords | User: LSCUser | Password: S3cret1 | Enabled: True | User: AppUser | Password: S3cret2 | Enabled: True | User: WebUser | Password: S3cret3 | Enabled: True | User: TDUser | Password: S3cret4 | Enabled: True | Protection: Password | Program password: SECRET |_MMC serial: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds A successful attack against a LOGO! 8 extracting all configured passwords is demonstrated in our SySS PoC video . ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: In the publicly released Siemens Security Advisory SSA-542701 , the manufacturer Siemens recommends to apply a defense-in-depth concept, including protection concept outlined in the system manual, as a mitigation for reducing the risk of the described security issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2019-04-04: Vulnerability reported to manufacturer 2019-04-04: Manufacturer confirms receipt of security advisory and asks for referenced Nmap script 2019-04-04: SySS provides PoC Nmap script 2019-05-14: Public release of Siemens Security Advisory SSA-542701 2019-05-29: Public release of SySS security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References:  Product website for Siemens LOGO! https://new.siemens.com/global/en/products/automation/systems/industrial/plc/logo.html  SySS Security Advisory SYSS-2019-012 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-012.txt  SySS Security Advisory SYSS-2019-014 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-014.txt  SySS Security Advisory SYSS-2019-013 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-013.txt  Siemens Security Advisory SSA-542701 https://cert-portal.siemens.com/productcert/pdf/ssa-542701.pdf  SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/  SySS Proof-of-Concept Video "Siemens LOGO! 8 PLC Password Hacking" https://youtu.be/TpH4EABGYCs # 0day.today [2019-05-30] #