SEC Consult Vulnerability Lab Security Advisory < 20240524-0 > ======================================================================= title: Exposed Serial Shell on multiple PLCs product: Siemens CP-XXXX Series (CP-2014, CP-2016, CP-2017, CP-2019, CP-5014) vulnerable version: All hardware revisions fixed version: Hardware is EOL, no fix CVE number: - impact: Low homepage: https://www.siemens.com found: ~2023-06-01 by: Steffen Robertz (Office Vienna) Gerhard Hechenberger (Office Vienna) Constantin Schieber-Knöbl (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers." Source: https://new.siemens.com/global/en/company/about.html Business recommendation: ------------------------ The hardware is no longer produced nor offered to the market. Hence HW adaptions resulting in modified products are not possible anymore. The described HW behavior on this generation of devices cannot be corrected by means of FW patches. The risk of successful exploitation is considered low as physical access to those devices is needed. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Exposed Serial Shell on multiple Siemens PLCs A serial interface can be accessed with physical access to the PCB. After connecting to the interface, access to a shell with various debug functions as well as a login prompt is possible. Proof of concept: ----------------- 1) Exposed Serial Shell on multiple Siemens PLCs * CP-2016 (Figure 1) The serial interface on the CP-2016 can be accessed by connecting to the following through hole pins of an unpopulated header: +-+ |o| |o|RX |o|TX |o| |o| |o|GND +-+ * CP-2019 (Figure 2) The serial interface on the CP-2019 can be accessed by connecting to the following through hole pins of an unpopulated header: +-+ |o| |o|RX |o|TX |o| |o| |o|GND +-+ * CP-2014 (Figure 3) The serial interface on the CP-2014 can be accessed by connecting to the following through hole pins of an unpopulated header: +-+ |o|GND |o| |o| |o|RX |o|TX |o| +-+ * CP-2017 (Figure 4) The serial interface on the CP-2017 can be accessed on the compute module by connecting to pins 9 and 10 on the populated SMD connector: 1 TX RX '-'-'-'-'-'-'-'-'-' /-------------------\ | | |-------------------| +'-'-'-'-'-'-'-'-'-'+ 11 20 * CP-5014 (Figure 5) The serial interface on the CP-5014 can be accessed on the compute module by connecting to pins 1 and 2 on the populated SMD connector: RX TX 10 '-'-'-'-'-'-'-'-'-' /-------------------\ | | |-------------------| +'-'-'-'-'-'-'-'-'-'+ 11 20 All serial connections allow access to the SH1703 shell in version 1.00. The shell requires no authentication and allows the usage of multiple commands. The following output can be seen on all devices: --------------------------------------------------- XXXXX XXX XXX X XXXXX XXX XXX X X X X XXX X X X X X X X X X X X X X X XXXXX XXXXX X X X X XX X X X X X X X X X X X X X X X X X X XXXXX XXX XXX XXXXX X XXX XXX --------------------------------------------------- 1703 Shell [V1.00] (c) by 1703 Development Team type 'help' or '?' or press 'F1' for help SH1703> Initialize system .. . Init Done. system startup after Power-Up ... Install device 'USB Server'. RTC time not valid RTC time not valid RTC time not valid Reg: 100 Komp: 2 BSE: 20 Hello from <R#100 / K#2 / BSE#2> FW-ID: 2019 FW-Version: 0.06A01 Startup ZBGs ... done. system ready SH1703>help Available commands: hist Display command history !<n> Execute <n> command from stack ? [<cmd>] Display this message help [<cmd>] Display this message echo <text> Displays text call <file> Run script file cls Clear screen loop <cmd> Loop-execution of cmd ldfile <file> Load ascii file db <a> [-b|w|d<x> [-n<x>]] Display memory byte/word/dword wb <a> <val> [-b|w|d<x>] Write memory byte/word/dword mb <a> [-b|w|d<x> [-n<x>]] Monitoring memory byte/word/dword login Login logoff Logoff pci ... PCI Commands bemrk Run Benchmark drv List installed drives dir List files in directory del [<drv:>]<file> Delete file ren <src> <dest> Rename or move file cd <dir>|<..> Change current directory or drive md <dir> Make directory rd <dir> Remove directory type [<drv:>]<file> Displays the contents of a file copy <src> <dest> Copy a file findstr <file> <str> Find a string in a textfile mkdisk <drvname> <size> Make a Ramdisk uidisk <drvname> Close and uninstall a disk format <drvname> Format drive mem_wr <addr> <size> <des> Write mem to file idr Read from diagnostic ring icr Clear diagnostic ring idd Debug-Trace ON bp Read all breakpoint settings bpf [<file>] Set File for Debugprint (no arg = stdout) is ... Debugger settings ig [f|s] Display BPs / Clear all BPs idb Read DB-Breaks idt Read DB-Trace Settings icz Clear breakpoint counters dev ... ZIO-Device commands bsp ... bsp commands ftrc ... FTRC Commands banner Display the banner pl Display process list pi [<appl_nr>] Display process info ad -c|d|k|s APP-Debug Create|Detach|Kill|Start tl Display task list (all processes) tm [-r] Display task monitor (-r = runtime) tc <taskname> Display task context td <taskID> Display task descriptor tq Display task queues sysztsk Display ZOS-tasks of system process appztsk [<appl_nr>] Display ZOS-tasks of appl-process(es) stack Display stack usage of all tasks stsk -c|d|e|s|r ZOS-Task Create|Del|Exch|Suspend|Resume tsktrc -s|r|c ZOS-Task-Trace Start|Read|Clear set [<name>=<val>] Display, set or remove environment variables time Display the current time timeset Set the current time mem Display memory usage status Display system status informations ver Display version informations r Reset system element (R,R Cxx,R Pxx,R Zxx klog [dis|ena|all] Display, disable or enable kernel logging psp_info Display prozessor configuration infos int_info Interrupt-Info-List int_gen Generate Interrupt (for Admin only) tlbs Display TLBs ga [<appl_nr>] Start Subshell of application tsd Debug Timeserver mci MCI Commands usb <cmd> USB commands mmc <cmd> MMC Commands zhs ZHS commands zpv Parameter infos zdt data transporter fsn ZIO/FSN statistics net <enet|emac|mal> <dev> Network statistics prd <pg> <reg> <len> Read PHY register (len: 8|16|32) pwr <pg> <reg> <len> <data> Write PHY register (len: 8|16|32) rmib Reset all statistic counters scfg Display broadcom switch registers ipaddr <dev> Display ip addresses on interface route Display routing table socket Display socket statistic tcp Display tcp statistic udp Display udp statistic arp Display arp cache ping host-ipaddr send ICMP ECHO_REQUEST to a host arl Switch Address Resolution table ebuf Statistic for Buffer handling FSN tls_ciph print cipher suites for all connections tls_obj idx print connection objects tls_log log level for tls lib tls_deb idx print connection debug cnts tlscache print cert/key cache opensslm print mem pool statistic for openssl tlsdeb_s START mem pool debug function tlsdeb_e END mem pool debug function tlsdeb_r print mem pool debug for openssl tlsdeb_c CLEAR mem pool debug function sap special application function Available Function-Keys: F1 Help F2 Display system status informations F3 Display Last command F5 Display the current time F7 History F8 Display memory usage F9 Display ZOS-Task Infos F10 Display Tasklist F11 Execute Last command SH1703> ---------------------------------------- Vulnerable / tested versions: ----------------------------- The following versions have been tested which were the latest version available at the time of the test: * CP-2016: CPCX26 V0.06A01 * CP-2019: PCCX26 V0.06A01 * CP-2014: CPCX25 V0.05A04 * CP-2017: PCCX25 V0.11A10 * CP-5056: CPCX55 V0.10A04 Vendor contact timeline: ------------------------ 2024-03-05: Contacting vendor through [email protected] 2024-03-06: Siemens tracks this issue as case #04393 2024-04-03: Requested status update. 2024-04-03: Product is EOL, no fix planned. 2024-04-29: Informed Siemens about planned publication of advisory. 2024-04-30: Siemens, requests draft of advisory. Advisory is sent for review. 2024-05-07: Siemens requested small changes in the Solution and Business Recommendation. 2024-05-24: Public release of security advisory. Solution: --------- The hardware is no longer produced nor offered to the market. Hence HW adaptions resulting in modified products are not possible anymore. The described HW behavior on this generation of devices cannot be corrected by means of FW patches. The risk of successful exploitation is considered low as physical access to those devices is needed. Workaround: ----------- Make sure to strictly limit physical access to the PLC during and also after its life cycle. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Steffen Robertz, Gerhard Hechenberger, Constantin Schieber-Knöbl / @2024