Plaintext Storage of a Password Vulnerability in LOGO! V8.3 BM Devices

Monitor4.6SSA-921449Aug 13, 2024

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

LOGO! V8.3 BM devices (including SIPLUS variants) store user-set passwords in plaintext on an embedded storage IC. An attacker with physical access could extract these passwords from the chip. Siemens has released LOGO! V8.4 BM and SIPLUS LOGO! V8.4 BM hardware versions as replacements with this vulnerability fixed. Affected products include all LOGO! 12/24RCEo, 230RCE, 230RCEo, 24CE, 24CEo, and 24RCE models across all firmware versions.

What this means

What could happen

An attacker with physical access to a LOGO! device could extract plaintext passwords from the embedded storage chip, potentially compromising engineering access and allowing unauthorized changes to automation logic or process parameters.

Who's at risk

Water utilities, electric utilities, wastewater treatment plants, and other municipalities using Siemens LOGO! programmable logic devices (PLCs) for automation of pumps, motors, valves, and other critical equipment. This affects all V8.3 BM variants and SIPLUS industrial-grade versions used in process automation and equipment control.

How it could be exploited

An attacker would need to physically open the device, locate the embedded storage IC (integrated circuit) where passwords are stored in plaintext, extract or read the chip contents, and obtain the plaintext passwords. These credentials could then be used to reprogram the device logic or access engineering functions remotely if network access is available.

Prerequisites

Physical access to the LOGO! device
Ability to remove or read the embedded storage IC
Knowledge of storage IC location and format

no patch availablephysical access requiredplaintext credential storageaffects all V8.3 BM versions

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (16)

16 EOL

ProductAffected VersionsFix Status

LOGO! 12/24RCEoAll versionsNo fix (EOL)

SIPLUS LOGO! 12/24RCEoAll versionsNo fix (EOL)

LOGO! 230RCEAll versionsNo fix (EOL)

LOGO! 230RCEoAll versionsNo fix (EOL)

SIPLUS LOGO! 230RCEAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGImplement physical security controls to restrict access to devices (locked enclosures, cable locks, access logs)

HARDENINGConfigure network access controls and firewall rules to limit engineering workstation connectivity to LOGO! devices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXReplace LOGO! V8.3 BM devices with LOGO! V8.4 BM hardware variants, which store passwords securely

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: LOGO! 12/24RCEo, SIPLUS LOGO! 12/24RCEo, LOGO! 230RCE, LOGO! 230RCEo, SIPLUS LOGO! 230RCE, SIPLUS LOGO! 230RCEo, LOGO! 24CE, LOGO! 24CEo, SIPLUS LOGO! 24CE, SIPLUS LOGO! 24CEo, LOGO! 24RCE, LOGO! 24RCEo, SIPLUS LOGO! 24RCE, SIPLUS LOGO! 24RCEo, SIPLUS LOGO! 12/24RCE, LOGO! 12/24RCE. Apply the following compensating controls:

HARDENINGFollow Siemens operational guidelines for Industrial Security and implement defense-in-depth network segmentation

CVEs (1)

CVE-2024-39922

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/eeb9b423-904d-416a-8458-bbc53d48a0ae