Vulnerabilities in LOGO! Soft Comfort
Plan Patch8.4SSA-983300Apr 13, 2021
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Two vulnerabilities in LOGO! Soft Comfort (CWE-22 path traversal and CWE-427 unsafe DLL loading) could allow an attacker with local system access to execute arbitrary code and take over the system. An affected attacker could modify automation logic or configurations deployed to connected LOGO! controllers.
What this means
What could happen
An attacker with local access to a system running LOGO! Soft Comfort could execute arbitrary code and take full control of the software, potentially allowing them to modify automation logic or configurations deployed to connected LOGO! controllers.
Who's at risk
Water utilities and manufacturing facilities that use Siemens LOGO! controllers for process automation should care about this. If your engineering or operations team uses LOGO! Soft Comfort on any workstation to program or configure LOGO! controllers, you are affected.
How it could be exploited
An attacker with local access to a machine running LOGO! Soft Comfort could exploit path traversal (CWE-22) or unsafe DLL loading (CWE-427) vulnerabilities to execute code. This requires the attacker to have access to the workstation where the software is installed.
Prerequisites
- Local access to the workstation where LOGO! Soft Comfort is installed
- LOGO! Soft Comfort version 8.4 or earlier
Local access required for exploitationaffects engineering/programming softwareno authentication required once local access is gained
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
LOGO! Soft Comfort<V8.48.4
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate LOGO! Soft Comfort to version 8.4 or later
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6a7abe5c-55f8-4186-b2b9-234932c7debf