Siemens LOGO!, a PLC for small automation projects, open to attack

LOGO!, a programmable logic controller (PLC) manufactured by Siemens, sports three vulnerabilities that could allow remote attackers to reconfigure the device, access project files, decrypt files, and access passwords.

Siemens LOGO vulnerabilities

About LOGO!

LOGO! is an intelligent logic module meant for small automation projects in industrial (control of compressors, conveyer belts, door control, etc.), office/commercial and home settings (lighting control, pool-related control tasks, access control, etc.).

It is deployed worldwide and can be controlled remotely.

About the vulnerabilities

The vulnerabilities, discovered and reported by Manuel Stotz and Matthias Deeg from German pentesting outfit SySS GmbH, are three:

  • CVE-2019-10919 – Missing authentication for critical functions (getting profile information containing sensitive data such as different configured passwords, setting passwords) which could allow the attacker to perform device reconfigurations and obtain project files.
  • CVE-2019-10920 – Use of hard-coded cryptographic key (the aforementioned configured passwords are, for example, encrypted with it).
  • CVE-2019-10921 – Storing passwords in a recoverable (cleartext) format (stored in the project).

All versions of Siemens LOGO!8 BM (basic module) are affected.

As confirmed by Siemens Siemens, all three vulnerabilities can be exploited by an unauthenticated attacker with network access to port 10005/tcp, with no user interaction.

“The LOGO!8 BM manual recommends protecting access to Port 10005/TCP,” ICS CERT noted. Siemens also advises implementing Defense-in-Depth, as outlined in the device system manual.

Two weeks ago, when Siemens released the advisory, there were no known public exploits for specifically targeting these vulnerabilities.

In the meantime, SySS researchers have published advisories (1, 2, 3) containing more details about the flaws, PoC exploit code (Nmap scripts), and a video demonstration of the attacks:

Don't miss