Siemens Fixes Session Hijacking Bug in LOGO!, Warns of Man-in-the-Middle Attacks

Siemens fixed a session hijacking vulnerability in its LOGO! logic module Wednesday but says a second issue, one that could help facilitate a man-in-the-middle attack, has no fix currently.

Administrators who have Siemens’ LOGO! logic module deployed in automation setups are being urged to update its firmware.

The German industrial manufacturing giant pushed out an update for its LOGO! 8 BM devices Wednesday morning to fix a vulnerability (CVE-2017-12734) that could let an attacker hijack existing web sessions. The vulnerability affects all versions of the module prior to V1.81.2.

LOGO! is a universal logic module designed for use in small-scale automation projects. It’s commonly used in domestic and installation engineering setups, gate control systems, air conditioning systems, and rainwater pumps. The module can also communicate with SIMATIC HMI and S7 systems.

The vulnerability, discovered by Maxim Rupp, an independent security researcher based in Germany, could allow an attacker with network access to the integrated web server on port 80/TCP to obtain the session ID of an active session user as long as that user is logged into the web interface.

While admins should pay attention to the firmware update and apply it to fix the vulnerability, more concerning is that there’s a second issue (CVE-2017-12735) that plagues the logic module which has not been fixed.

The second issue could let an attacker carry out a man-in-the-middle attack between LOGO! and other devices and potentially allow them to decrypt and modify network traffic, according to a security advisory (.PDF) issued by the company’s ProductCERT team Wednesday.

Siemens is urging admins to apply four mitigations to thwart exploitation of the second vulnerability:

  • Configure the environment according to the recommendations in the user manual
  • Apply cell protection concept
  • Use VPN for protecting network communication between cells
  • Apply Defense-in-Depth

It’s unclear if Siemens plans to fix the vulnerability that could lead to a man-in-the-middle attack. The company did not immediately return a request for comment on Wednesday, but said in its advisory it strongly recommends users protect network access to the devices with appropriate mechanisms.

Siemens warned of vulnerabilities in several other products on Wednesday, including a denial of service vulnerability in its 7KM PAC Switched Ethernet PROFINET expansion modules, and scores of industrial products vulnerable to remote resource consumption attacks.

The remote resource consumption attacks could be caused if an attacker sent a collection of specially crafted packets to a server used by the products, OPC Discovery. If successful the system could access various resources chosen by the attacker. Patches exist but until deployed a number of SIMATIC devices, PCS 7, WinCC, WinCC Runtime Professional, NET PC Software, and IT Production Suite, are all vulnerable, Siemens warns (.PDF). Sergey Temnikov, a senior research developer at Kaspersky Lab’s ICS-CERT, discovered the attack vector and responsibly disclosed it to the company.

Specially crafted packets could also trigger the DoS vulnerability (.PDF) in the expansion modules. Users should update to the most recent version, V2.1.3 [1], to mitigate the issue.

Suggested articles