OTPulse

Siemens LOGO! and SIPLUS LOGO!

MonitorCVSS 7.6ICS-CERT ICSA-23-348-04Dec 12, 2023
Siemens
Attack path
Attack VectorPhysical
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

LOGO! V8.3 BM and SIPLUS LOGO! V8.3 BM controllers (firmware version V8.3 and later) contain a vulnerability that allows electromagnetic fault injection attacks. An attacker with physical access can use this technique to dump and debug the firmware, manipulate memory contents, and inject custom public keys that are signed by the LOGO! Product CA. This enables injection of malicious firmware that the device will trust and execute. Siemens has released new hardware versions (LOGO! V8.4 BM and SIPLUS LOGO! V8.4 BM) that fix this vulnerability and rotate the Product CA private key. No patch is available for the V8.3 hardware; only hardware replacement mitigates the issue.

What this means
What could happen
An attacker with physical access to a LOGO! V8.3 BM controller could use electromagnetic fault injection to dump the firmware and manipulate memory, potentially extracting or modifying code that controls industrial processes. This could allow an attacker to inject malicious firmware that persists and is trusted by the device.
Who's at risk
This affects organizations running Siemens LOGO! and SIPLUS LOGO! controllers (V8.3 BM models) used in small automation systems, process control, and building automation. Any facility using these compact PLCs for critical processes like motor control, pump management, or safety interlocks should assess their exposure.
How it could be exploited
An attacker requires physical proximity to the device to perform electromagnetic fault injection. Once fault injection is successful, the attacker can read and write to device memory, extract the firmware, and inject a custom public key that will be signed by the LOGO! Product CA, allowing installation of malicious code that the device trusts.
Prerequisites
  • Physical access to the LOGO! V8.3 BM device
  • Electromagnetic fault injection equipment
  • Knowledge of LOGO! memory layout and fault injection techniques
no patch availablerequires physical access to devicefirmware extraction possiblecustom code injection possibleaffects multiple controller variants
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (16)
16 EOL
ProductAffected VersionsFix Status
LOGO! 12/24RCE≥ V8.3No fix (EOL)
LOGO! 12/24RCEo≥ V8.3No fix (EOL)
SIPLUS LOGO! 12/24RCE≥ V8.3No fix (EOL)
SIPLUS LOGO! 12/24RCEo≥ V8.3No fix (EOL)
LOGO! 230RCE≥ V8.3No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGImplement physical security controls to prevent unauthorized access to LOGO! V8.3 BM devices, including locked equipment cabinets and restricted access areas
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to LOGO! V8.4 BM or SIPLUS LOGO! V8.4 BM hardware, which fixes the vulnerability and rotates the Product CA private key
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: LOGO! 12/24RCE, LOGO! 12/24RCEo, SIPLUS LOGO! 12/24RCE, SIPLUS LOGO! 12/24RCEo, LOGO! 230RCE, LOGO! 230RCEo, SIPLUS LOGO! 230RCE, SIPLUS LOGO! 230RCEo, LOGO! 24CE, LOGO! 24CEo, SIPLUS LOGO! 24CE, SIPLUS LOGO! 24CEo, LOGO! 24RCE, LOGO! 24RCEo, SIPLUS LOGO! 24RCE, SIPLUS LOGO! 24RCEo. Apply the following compensating controls:
HARDENINGProtect network access to LOGO! devices with firewalls and appropriate access controls to limit exposure even though this vulnerability requires physical access
HARDENINGFollow Siemens operational guidelines for Industrial Security to create a protected IT environment around LOGO! devices
View full CISA ICS-CERT advisory
API: /api/v1/advisories/2e2ae634-688b-4b4a-8755-7d0d0a13b9f7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.