Siemens LOGO! Soft Comfort (Update A)

Plan Patch7.8ICS-CERT ICSA-19-134-03May 14, 2019

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

LOGO! Soft Comfort versions prior to 8.3 contain an insecure deserialization vulnerability (CWE-502) in project file handling. When a user opens a malicious project file, arbitrary code can be executed with the privileges of the user opening the file. This is not remotely exploitable and requires social engineering to deliver the malicious file. Siemens has released version 8.3 as a fix. The vulnerability has a CVSS score of 7.8 and is not currently being actively exploited in the wild.

What this means

What could happen

An attacker with access to a project file for LOGO! Soft Comfort could execute arbitrary code on the engineering workstation when the project is opened, potentially allowing them to modify PLC logic, steal configuration data, or establish persistence on the control system development environment.

Who's at risk

Water authorities and electric utilities using Siemens LOGO! controllers for auxiliary automation tasks (pump control, fan operation, gate control, valve operation) rely on LOGO! Soft Comfort for engineering and maintenance. This affects any organization where engineers create or modify LOGO! projects on workstations.

How it could be exploited

An attacker creates a malicious LOGO! Soft Comfort project file and tricks an engineer into opening it (via email, USB, or file share). The software deserializes untrusted data in the project file, allowing code execution in the context of the engineer's workstation. From there, the attacker can modify or extract PLC logic before it is deployed to production devices.

Prerequisites

Access to deliver a malicious project file to an engineer (email, removable media, or network share)
Engineer must open the malicious .lgo or project file in LOGO! Soft Comfort version prior to v8.3
User interaction required (file must be opened; not automatically executed)

Requires user interaction (social engineering attack vector)Affects engineering workstations which may have access to production PLC deploymentLow technical complexity to craft malicious fileAll versions prior to 8.3 are vulnerable

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

LOGO! Soft Comfort: All<V8.38.3

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDImplement email security controls to block or warn on suspicious attachments and warn users not to open unsolicited files

WORKAROUNDEstablish a policy that engineers only open LOGO! Soft Comfort project files from known, trusted sources (version-controlled repositories, internal systems)

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate LOGO! Soft Comfort to version 8.3 or later

Long-term hardening

0/1

HARDENINGSegment the engineering workstations from production network access and implement network access controls to limit lateral movement if a workstation is compromised

CVEs (1)

CVE-2019-10924

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2d3bad59-76c5-4959-b86b-20135885eb81