lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <d2bc0eec-2dbb-49b0-b222-0c6c517c5e95@sec-consult.com>
Date: Fri, 24 May 2024 06:37:00 +0000
From: SEC Consult Vulnerability Lab via Fulldisclosure
 <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] SEC Consult SA-20240524-0 :: Exposed Serial Shell on multiple
 PLCs in Siemens CP-XXXX Series

SEC Consult Vulnerability Lab Security Advisory < 20240524-0 >
=======================================================================
               title: Exposed Serial Shell on multiple PLCs
             product: Siemens CP-XXXX Series (CP-2014, CP-2016, CP-2017, CP-2019, CP-5014)
  vulnerable version: All hardware revisions
       fixed version: Hardware is EOL, no fix
          CVE number: -
              impact: Low
            homepage: https://www.siemens.com
               found: ~2023-06-01
                  by: Steffen Robertz (Office Vienna)
                      Gerhard Hechenberger (Office Vienna)
                      Constantin Schieber-Knöbl (Office Vienna)
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"We are a technology company focused on industry, infrastructure,
transport, and healthcare. From more resource-efficient factories,
resilient supply chains, and smarter buildings and grids, to cleaner
and more comfortable transportation as well as advanced healthcare,
we create technology with purpose adding real value for customers."

Source: https://new.siemens.com/global/en/company/about.html


Business recommendation:
------------------------
The hardware is no longer produced nor offered to the market. Hence
HW adaptions resulting in modified products are not possible anymore.
The described HW behavior on this generation of devices cannot be
corrected by means of FW patches.

The risk of successful exploitation is considered low as physical access to
those devices is needed.

SEC Consult highly recommends to perform a thorough security review of the product
conducted by security professionals to identify and resolve potential further
security issues.


Vulnerability overview/description:
-----------------------------------
1) Exposed Serial Shell on multiple Siemens PLCs
A serial interface can be accessed with physical access to the PCB. After
connecting to the interface, access to a shell with various debug functions
as well as a login prompt is possible.


Proof of concept:
-----------------
1) Exposed Serial Shell on multiple Siemens PLCs

* CP-2016 (Figure 1)
The serial interface on the CP-2016 can be accessed by connecting to the
following through hole pins of an unpopulated header:

  +-+
  |o|
  |o|RX
  |o|TX
  |o|
  |o|
  |o|GND
  +-+

* CP-2019 (Figure 2)
The serial interface on the CP-2019 can be accessed by connecting to the
following through hole pins of an unpopulated header:

  +-+
  |o|
  |o|RX
  |o|TX
  |o|
  |o|
  |o|GND
  +-+

  * CP-2014 (Figure 3)
The serial interface on the CP-2014 can be accessed by connecting to the
following through hole pins of an unpopulated header:

  +-+
  |o|GND
  |o|
  |o|
  |o|RX
  |o|TX
  |o|
  +-+

  * CP-2017 (Figure 4)
The serial interface on the CP-2017 can be accessed on the compute module
by connecting to pins 9 and 10 on the populated SMD connector:

   1              TX RX
   '-'-'-'-'-'-'-'-'-'
  /-------------------\
  |                   |
  |-------------------|
  +'-'-'-'-'-'-'-'-'-'+
   11                20


* CP-5014 (Figure 5)
The serial interface on the CP-5014 can be accessed on the compute module
by connecting to pins 1 and 2 on the populated SMD connector:

  RX TX              10
   '-'-'-'-'-'-'-'-'-'
  /-------------------\
  |                   |
  |-------------------|
  +'-'-'-'-'-'-'-'-'-'+
   11                20


All serial connections allow access to the SH1703 shell in version 1.00.
The shell requires no authentication and allows the usage of multiple
commands.

The following output can be seen on all devices:

---------------------------------------------------
    XXXXX  XXX XXX      X     XXXXX    XXX     XXX
   X     X  X   X     XXX     X   X   X   X   X   X
   X        X   X       X        X    X   X       X
    XXXXX   XXXXX       X        X    X   X     XX
         X  X   X       X       X     X   X       X
   X     X  X   X       X      X      X   X   X   X
    XXXXX  XXX XXX    XXXXX    X       XXX     XXX
---------------------------------------------------

1703 Shell [V1.00]
(c) by 1703 Development Team

type 'help' or '?' or press 'F1' for help

SH1703>

Initialize system ..
. Init Done.

system startup after Power-Up ...
Install device 'USB Server'.

  RTC time not valid

  RTC time not valid

  RTC time not valid
Reg: 100 Komp: 2 BSE: 20
Hello from <R#100 / K#2 / BSE#2> FW-ID: 2019 FW-Version: 0.06A01
Startup ZBGs ... done.

system ready
SH1703>help
Available commands:
  hist                             Display command history
!<n>                             Execute <n> command from stack
  ?        [<cmd>]                 Display this message
  help     [<cmd>]                 Display this message
  echo     <text>                  Displays text
  call     <file>                  Run script file
  cls                              Clear screen
  loop     <cmd>                   Loop-execution of cmd
  ldfile   <file>                  Load ascii file
  db       <a> [-b|w|d<x> [-n<x>]] Display memory byte/word/dword
  wb       <a> <val> [-b|w|d<x>]   Write memory byte/word/dword
  mb       <a> [-b|w|d<x> [-n<x>]] Monitoring memory byte/word/dword
  login                            Login
  logoff                           Logoff
  pci      ...                     PCI Commands
  bemrk                            Run Benchmark
  drv                              List installed drives
  dir                              List files in directory
  del      [<drv:>]<file>          Delete file
  ren      <src> <dest>            Rename or move file
  cd       <dir>|<..>              Change current directory or drive
  md       <dir>                   Make directory
  rd       <dir>                   Remove directory
  type     [<drv:>]<file>          Displays the contents of a file
  copy     <src> <dest>            Copy a file
  findstr  <file> <str>            Find a string in a textfile
  mkdisk   <drvname> <size>        Make a Ramdisk
  uidisk   <drvname>               Close and uninstall a disk
  format   <drvname>               Format drive
  mem_wr   <addr> <size> <des>     Write mem to file
  idr                              Read from diagnostic ring
  icr                              Clear diagnostic ring
  idd                              Debug-Trace ON
  bp                               Read all breakpoint settings
  bpf      [<file>]                Set File for Debugprint (no arg = stdout)
  is       ...                     Debugger settings
  ig       [f|s]                   Display BPs / Clear all BPs
  idb                              Read DB-Breaks
  idt                              Read DB-Trace Settings
  icz                              Clear breakpoint counters
  dev      ...                     ZIO-Device commands
  bsp      ...                     bsp commands
  ftrc     ...                     FTRC Commands
  banner                           Display the banner
  pl                               Display process list
  pi       [<appl_nr>]             Display process info
  ad       -c|d|k|s                APP-Debug Create|Detach|Kill|Start
  tl                               Display task list (all processes)
  tm       [-r]                    Display task monitor (-r = runtime)
  tc       <taskname>              Display task context
  td       <taskID>                Display task descriptor
  tq                               Display task queues
  sysztsk                          Display ZOS-tasks of system process
  appztsk  [<appl_nr>]             Display ZOS-tasks of appl-process(es)
  stack                            Display stack usage of all tasks
  stsk     -c|d|e|s|r              ZOS-Task Create|Del|Exch|Suspend|Resume
  tsktrc   -s|r|c                  ZOS-Task-Trace Start|Read|Clear
  set      [<name>=<val>]          Display, set or remove environment variables
  time                             Display the current time
  timeset                          Set the current time
  mem                              Display memory usage
  status                           Display system status informations
  ver                              Display version informations
  r                                Reset system element (R,R Cxx,R Pxx,R Zxx
  klog     [dis|ena|all]           Display, disable or enable kernel logging
  psp_info                         Display prozessor configuration infos
  int_info                         Interrupt-Info-List
  int_gen                          Generate Interrupt (for Admin only)
  tlbs                             Display TLBs
  ga       [<appl_nr>]             Start Subshell of application
  tsd                              Debug Timeserver
  mci                              MCI Commands
  usb      <cmd>                   USB commands
  mmc      <cmd>                   MMC Commands
  zhs                              ZHS commands
  zpv                              Parameter infos
  zdt                              data transporter
  fsn                              ZIO/FSN statistics
  net      <enet|emac|mal> <dev>   Network statistics
  prd      <pg> <reg> <len>        Read PHY register (len: 8|16|32)
  pwr      <pg> <reg> <len> <data> Write PHY register (len: 8|16|32)
  rmib                             Reset all statistic counters
  scfg                             Display broadcom switch registers
  ipaddr   <dev>                   Display ip addresses on interface
  route                            Display routing table
  socket                           Display socket statistic
  tcp                              Display tcp statistic
  udp                              Display udp statistic
  arp                              Display arp cache
  ping     host-ipaddr             send ICMP ECHO_REQUEST to a host
  arl                              Switch Address Resolution table
  ebuf                             Statistic for Buffer handling FSN
  tls_ciph                         print cipher suites for all connections
  tls_obj  idx                     print connection objects
  tls_log                          log level for tls lib
  tls_deb  idx                     print connection debug cnts
  tlscache                         print cert/key cache
  opensslm                         print mem pool statistic for openssl
  tlsdeb_s                         START mem pool debug function
  tlsdeb_e                         END mem pool debug function
  tlsdeb_r                         print mem pool debug for openssl
  tlsdeb_c                         CLEAR mem pool debug function
  sap                              special application function
Available Function-Keys:
  F1     Help
  F2     Display system status informations
  F3     Display Last command
  F5     Display the current time
  F7     History
  F8     Display memory usage
  F9     Display ZOS-Task Infos
  F10    Display Tasklist
  F11    Execute Last command
SH1703>

----------------------------------------


Vulnerable / tested versions:
-----------------------------
The following versions have been tested which were the latest version available
at the time of the test:
* CP-2016: CPCX26 V0.06A01
* CP-2019: PCCX26 V0.06A01
* CP-2014: CPCX25 V0.05A04
* CP-2017: PCCX25 V0.11A10
* CP-5056: CPCX55 V0.10A04


Vendor contact timeline:
------------------------
2024-03-05: Contacting vendor through productcert@...mens.com
2024-03-06: Siemens tracks this issue as case #04393
2024-04-03: Requested status update.
2024-04-03: Product is EOL, no fix planned.
2024-04-29: Informed Siemens about planned publication of advisory.
2024-04-30: Siemens, requests draft of advisory. Advisory is sent for review.
2024-05-07: Siemens requested small changes in the Solution and Business
             Recommendation.
2024-05-24: Public release of security advisory.


Solution:
---------
The hardware is no longer produced nor offered to the market. Hence HW
adaptions resulting in modified products are not possible anymore. The
described HW behavior on this generation of devices cannot be corrected
by means of FW patches.

The risk of successful exploitation is considered low as physical access to
those devices is needed.


Workaround:
-----------
Make sure to strictly limit physical access to the PLC during and also
after its life cycle.


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Steffen Robertz, Gerhard Hechenberger, Constantin Schieber-Knöbl / @2024


Download attachment "smime.p7s" of type "application/pkcs7-signature" (4201 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ