Siemens LOGO! (Update A)

Plan PatchCVSS 7.5ICS-CERT ICSA-17-243-02Aug 30, 2017

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens LOGO! 8 BM controllers contain two credential protection weaknesses: insufficiently protected credentials in firmware versions before 1.81.2, and lack of encryption in man-in-the-middle communication in versions before 8.3. An attacker with network access could capture credentials used to access and reprogram these controllers, potentially allowing unauthorized modification of automation logic or process parameters. The vulnerabilities are tracked as CWE-200 (Information Exposure) and CWE-300 (Channel Access Control). No known public exploits exist, but the risk is elevated due to the ease of credential interception in network environments.

What this means

What could happen

An attacker with network access to a LOGO! controller could intercept or extract device credentials, allowing unauthorized access to reprogram the controller or steal sensitive operation configurations. Man-in-the-middle attacks could also modify controller behavior in transit.

Who's at risk

Water treatment, municipal electric distribution, and other utilities using Siemens LOGO! 8 BM controllers for process automation. This affects both main variants and SIPLUS ruggedized variants. Any facility where LOGO! devices are connected to plant networks or accessible to engineering workstations needs to address this.

How it could be exploited

An attacker on the same network segment as a LOGO! device could capture unencrypted credentials transmitted between engineering workstations and the controller, or intercept controller-to-controller communication. With captured credentials, the attacker could then reprogram the device to alter automation logic, process setpoints, or disable safety functions.

Prerequisites

Network access to the LOGO! device (same plant network or connected subnet)
Ability to sniff or intercept network traffic between the controller and engineering workstations or other controllers

remotely exploitableno authentication required for passive credential theftlow complexity attack (network sniffing)affects multiple critical infrastructure sectorsno patch available for some variants without hardware replacement

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

LOGO! 8 BM (incl.'SIPLUS variants): All<V1.81.21.81.2

LOGO! 8 BM (incl.'SIPLUS variants): All<V8.38.3.

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGEnable cell protection concept on LOGO! devices

HARDENINGDeploy VPN for protecting network communication between LOGO! cells and engineering workstations

HARDENINGRestrict network access to LOGO! devices using firewall rules or network segmentation

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate LOGO! 8 BM firmware to version 1.81.2 or later to fix the insufficiently protected credentials vulnerability

HARDENINGConfigure the environment according to Siemens user manual recommendations and operational guidelines

Long-term hardening

0/1

HOTFIXUpdate to LOGO! 8 BM v8.3 or later to mitigate man-in-the-middle vulnerability (requires new hardware)

CVEs (2)

CVE-2017-12734 CVE-2017-12735

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8ec76bc9-969d-40f0-88a5-be69d54ac945

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.