OTPulse
FeedAboutContact

Siemens LOGO! Soft Comfort

Monitor5.9ICS-CERT ICSA-17-353-04Dec 19, 2017
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

LOGO! Soft Comfort versions prior to 8.2 contain an untrusted download of executable code vulnerability. The Update Center in LOGO! Soft Comfort can download and execute malicious software packages without proper verification. This affects the engineering workstation software used to program and manage LOGO! controllers.

What this means
What could happen
An attacker with network access to an engineering workstation running LOGO! Soft Comfort could inject malicious software updates, compromising the workstation and potentially allowing them to modify LOGO! controller configurations or programs that control industrial processes.
Who's at risk
This affects organizations operating LOGO! programmable logic controllers (PLCs) in manufacturing, water/wastewater treatment, building automation, and other industrial settings. Anyone using LOGO! Soft Comfort engineering workstations with versions before 8.2 to program or maintain LOGO! controllers should upgrade immediately.
How it could be exploited
An attacker positioned on the network between an engineering workstation and Siemens' update servers could intercept the download connection and deliver a malicious software package. When the workstation user initiates a software update through the Update Center, the malicious package is downloaded and executed without cryptographic verification of authenticity.
Prerequisites
  • Network access to the engineering workstation running LOGO! Soft Comfort versions before 8.2
  • The workstation must attempt to download updates through the LOGO! Update Center
remotely exploitableno authentication requiredlow complexityno patch available for versions before 8.2affects engineering workstations
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
LOGO! Soft Comfort: All< 8.28.2
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDIf upgrade is not immediately possible, disable or do not use the Update Center feature until the workstation can be upgraded
WORKAROUNDManually verify SHA-256 checksums of LOGO! Soft Comfort software packages obtained from the official Siemens website (https://www.siemens.com/logo-update) before installation
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade LOGO! Soft Comfort to version 8.2 or later
Long-term hardening
0/2
HARDENINGRestrict network access to engineering workstations running LOGO! Soft Comfort using firewalls and network segmentation; separate them from untrusted networks
HARDENINGImplement monitoring and logging on engineering workstation network traffic to detect suspicious software downloads
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/b9c3930d-4362-497e-9529-152ae1570390