Siemens LOGO! and SIPLUS LOGO!

Monitor7.6ICS-CERT ICSA-23-348-04Dec 12, 2023

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

LOGO! V8.3 BM and SIPLUS LOGO! V8.3 BM controllers (firmware version V8.3 and later) contain a vulnerability that allows electromagnetic fault injection attacks. An attacker with physical access can use this technique to dump and debug the firmware, manipulate memory contents, and inject custom public keys that are signed by the LOGO! Product CA. This enables injection of malicious firmware that the device will trust and execute. Siemens has released new hardware versions (LOGO! V8.4 BM and SIPLUS LOGO! V8.4 BM) that fix this vulnerability and rotate the Product CA private key. No patch is available for the V8.3 hardware; only hardware replacement mitigates the issue.

What this means

What could happen

An attacker with physical access to a LOGO! V8.3 BM controller could use electromagnetic fault injection to dump the firmware and manipulate memory, potentially extracting or modifying code that controls industrial processes. This could allow an attacker to inject malicious firmware that persists and is trusted by the device.

Who's at risk

This affects organizations running Siemens LOGO! and SIPLUS LOGO! controllers (V8.3 BM models) used in small automation systems, process control, and building automation. Any facility using these compact PLCs for critical processes like motor control, pump management, or safety interlocks should assess their exposure.

How it could be exploited

An attacker requires physical proximity to the device to perform electromagnetic fault injection. Once fault injection is successful, the attacker can read and write to device memory, extract the firmware, and inject a custom public key that will be signed by the LOGO! Product CA, allowing installation of malicious code that the device trusts.

Prerequisites

Physical access to the LOGO! V8.3 BM device
Electromagnetic fault injection equipment
Knowledge of LOGO! memory layout and fault injection techniques

no patch availablerequires physical access to devicefirmware extraction possiblecustom code injection possibleaffects multiple controller variants

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (16)

16 EOL

ProductAffected VersionsFix Status

LOGO! 12/24RCE≥ V8.3No fix (EOL)

LOGO! 12/24RCEo≥ V8.3No fix (EOL)

SIPLUS LOGO! 12/24RCE≥ V8.3No fix (EOL)

SIPLUS LOGO! 12/24RCEo≥ V8.3No fix (EOL)

LOGO! 230RCE≥ V8.3No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGImplement physical security controls to prevent unauthorized access to LOGO! V8.3 BM devices, including locked equipment cabinets and restricted access areas

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to LOGO! V8.4 BM or SIPLUS LOGO! V8.4 BM hardware, which fixes the vulnerability and rotates the Product CA private key

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: LOGO! 12/24RCE, LOGO! 12/24RCEo, SIPLUS LOGO! 12/24RCE, SIPLUS LOGO! 12/24RCEo, LOGO! 230RCE, LOGO! 230RCEo, SIPLUS LOGO! 230RCE, SIPLUS LOGO! 230RCEo, LOGO! 24CE, LOGO! 24CEo, SIPLUS LOGO! 24CE, SIPLUS LOGO! 24CEo, LOGO! 24RCE, LOGO! 24RCEo, SIPLUS LOGO! 24RCE, SIPLUS LOGO! 24RCEo. Apply the following compensating controls:

HARDENINGProtect network access to LOGO! devices with firewalls and appropriate access controls to limit exposure even though this vulnerability requires physical access

HARDENINGFollow Siemens operational guidelines for Industrial Security to create a protected IT environment around LOGO! devices

CVEs (1)

CVE-2022-42784

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2e2ae634-688b-4b4a-8755-7d0d0a13b9f7