=========================& SEC Consult Vulnerability Lab Security Advisory < 20240524-0 >
=======================================================================
title: Exposed Serial Shell on multiple PLCs
product: Siemens CP-XXXX Series (CP-2014, CP-2016, CP-2017, CP-2019, CP-5014)
vulnerable version: All hardware revisions
fixed version: Hardware is EOL, no fix
CVE number: -
impact: Low
homepage: https://www.siemens.com
found: ~2023-06-01
by: Steffen Robertz (Office Vienna)
Gerhard Hechenberger (Office Vienna)
Constantin Schieber-Knöbl (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"We are a technology company focused on industry, infrastructure,
transport, and healthcare. From more resource-efficient factories,
resilient supply chains, and smarter buildings and grids, to cleaner
and more comfortable transportation as well as advanced healthcare,
we create technology with purpose adding real value for customers."
Source: https://new.siemens.com/global/en/company/about.html
Business recommendation:
------------------------
The hardware is no longer produced nor offered to the market. Hence
HW adaptions resulting in modified products are not possible anymore.
The described HW behavior on this generation of devices cannot be
corrected by means of FW patches.
The risk of successful exploitation is considered low as physical access to
those devices is needed.
SEC Consult highly recommends to perform a thorough security review of the product
conducted by security professionals to identify and resolve potential further
security issues.
Vulnerability overview/description:
-----------------------------------
1) Exposed Serial Shell on multiple Siemens PLCs
A serial interface can be accessed with physical access to the PCB. After
connecting to the interface, access to a shell with various debug functions
as well as a login prompt is possible.
Proof of concept:
-----------------
1) Exposed Serial Shell on multiple Siemens PLCs
* CP-2016 (Figure 1)
The serial interface on the CP-2016 can be accessed by connecting to the
following through hole pins of an unpopulated header:
+-+
|o|
|o|RX
|o|TX
|o|
|o|
|o|GND
+-+
* CP-2019 (Figure 2)
The serial interface on the CP-2019 can be accessed by connecting to the
following through hole pins of an unpopulated header:
+-+
|o|
|o|RX
|o|TX
|o|
|o|
|o|GND
+-+
* CP-2014 (Figure 3)
The serial interface on the CP-2014 can be accessed by connecting to the
following through hole pins of an unpopulated header:
+-+
|o|GND
|o|
|o|
|o|RX
|o|TX
|o|
+-+
* CP-2017 (Figure 4)
The serial interface on the CP-2017 can be accessed on the compute module
by connecting to pins 9 and 10 on the populated SMD connector:
1 TX RX
'-'-'-'-'-'-'-'-'-'
/-------------------
| |
|-------------------|
+'-'-'-'-'-'-'-'-'-'+
11 20
* CP-5014 (Figure 5)
The serial interface on the CP-5014 can be accessed on the compute module
by connecting to pins 1 and 2 on the populated SMD connector:
RX TX 10
'-'-'-'-'-'-'-'-'-'
/-------------------
| |
|-------------------|
+'-'-'-'-'-'-'-'-'-'+
11 20
All serial connections allow access to the SH1703 shell in version 1.00.
The shell requires no authentication and allows the usage of multiple
commands.
The following output can be seen on all devices:
---------------------------------------------------
XXXXX XXX XXX X XXXXX XXX XXX
X X X X XXX X X X X X X
X X X X X X X X
XXXXX XXXXX X X X X XX
X X X X X X X X
X X X X X X X X X X
XXXXX XXX XXX XXXXX X XXX XXX
---------------------------------------------------
1703 Shell [V1.00]
(c) by 1703 Development Team
type 'help' or '?' or press 'F1' for help
SH1703>
Initialize system ..
. Init Done.
system startup after Power-Up ...
Install device 'USB Server'.
RTC time not valid
RTC time not valid
RTC time not valid
Reg: 100 Komp: 2 BSE: 20
Hello from <R#100 / K#2 / BSE#2> FW-ID: 2019 FW-Version: 0.06A01
Startup ZBGs ... done.
system ready
SH1703>help
Available commands:
hist Display command history
!<n> Execute <n> command from stack
? [<cmd>] Display this message
help [<cmd>] Display this message
echo <text> Displays text
call <file> Run script file
cls Clear screen
loop <cmd> Loop-execution of cmd
ldfile <file> Load ascii file
db <a> [-b|w|d<x> [-n<x>]] Display memory byte/word/dword
wb <a> <val> [-b|w|d<x>] Write memory byte/word/dword
mb <a> [-b|w|d<x> [-n<x>]] Monitoring memory byte/word/dword
login Login
logoff Logoff
pci ... PCI Commands
bemrk Run Benchmark
drv List installed drives
dir List files in directory
del [<drv:>]<file> Delete file
ren <src> <dest> Rename or move file
cd <dir>|<..> Change current directory or drive
md <dir> Make directory
rd <dir> Remove directory
type [<drv:>]<file> Displays the contents of a file
copy <src> <dest> Copy a file
findstr <file> <str> Find a string in a textfile
mkdisk <drvname> <size> Make a Ramdisk
uidisk <drvname> Close and uninstall a disk
format <drvname> Format drive
mem_wr <addr> <size> <des> Write mem to file
idr Read from diagnostic ring
icr Clear diagnostic ring
idd Debug-Trace ON
bp Read all breakpoint settings
bpf [<file>] Set File for Debugprint (no arg = stdout)
is ... Debugger settings
ig [f|s] Display BPs / Clear all BPs
idb Read DB-Breaks
idt Read DB-Trace Settings
icz Clear breakpoint counters
dev ... ZIO-Device commands
bsp ... bsp commands
ftrc ... FTRC Commands
banner Display the banner
pl Display process list
pi [<appl_nr>] Display process info
ad -c|d|k|s APP-Debug Create|Detach|Kill|Start
tl Display task list (all processes)
tm [-r] Display task monitor (-r = runtime)
tc <taskname> Display task context
td <taskID> Display task descriptor
tq Display task queues
sysztsk Display ZOS-tasks of system process
appztsk [<appl_nr>] Display ZOS-tasks of appl-process(es)
stack Display stack usage of all tasks
stsk -c|d|e|s|r ZOS-Task Create|Del|Exch|Suspend|Resume
tsktrc -s|r|c ZOS-Task-Trace Start|Read|Clear
set [<name>=<val>] Display, set or remove environment variables
time Display the current time
timeset Set the current time
mem Display memory usage
status Display system status informations
ver Display version informations
r Reset system element (R,R Cxx,R Pxx,R Zxx
klog [dis|ena|all] Display, disable or enable kernel logging
psp_info Display prozessor configuration infos
int_info Interrupt-Info-List
int_gen Generate Interrupt (for Admin only)
tlbs Display TLBs
ga [<appl_nr>] Start Subshell of application
tsd Debug Timeserver
mci MCI Commands
usb <cmd> USB commands
mmc <cmd> MMC Commands
zhs ZHS commands
zpv Parameter infos
zdt data transporter
fsn ZIO/FSN statistics
net <enet|emac|mal> <dev> Network statistics
prd <pg> <reg> <len> Read PHY register (len: 8|16|32)
pwr <pg> <reg> <len> <data> Write PHY register (len: 8|16|32)
rmib Reset all statistic counters
scfg Display broadcom switch registers
ipaddr <dev> Display ip addresses on interface
route Display routing table
socket Display socket statistic
tcp Display tcp statistic
udp Display udp statistic
arp Display arp cache
ping host-ipaddr send ICMP ECHO_REQUEST to a host
arl Switch Address Resolution table
ebuf Statistic for Buffer handling FSN
tls_ciph print cipher suites for all connections
tls_obj idx print connection objects
tls_log log level for tls lib
tls_deb idx print connection debug cnts
tlscache print cert/key cache
opensslm print mem pool statistic for openssl
tlsdeb_s START mem pool debug function
tlsdeb_e END mem pool debug function
tlsdeb_r print mem pool debug for openssl
tlsdeb_c CLEAR mem pool debug function
sap special application function
Available Function-Keys:
F1 Help
F2 Display system status informations
F3 Display Last command
F5 Display the current time
F7 History
F8 Display memory usage
F9 Display ZOS-Task Infos
F10 Display Tasklist
F11 Execute Last command
SH1703>
----------------------------------------
Vulnerable / tested versions:
-----------------------------
The following versions have been tested which were the latest version available
at the time of the test:
* CP-2016: CPCX26 V0.06A01
* CP-2019: PCCX26 V0.06A01
* CP-2014: CPCX25 V0.05A04
* CP-2017: PCCX25 V0.11A10
* CP-5056: CPCX55 V0.10A04
Vendor contact timeline:
------------------------
2024-03-05: Contacting vendor through productcert@siemens.com
2024-03-06: Siemens tracks this issue as case #04393
2024-04-03: Requested status update.
2024-04-03: Product is EOL, no fix planned.
2024-04-29: Informed Siemens about planned publication of advisory.
2024-04-30: Siemens, requests draft of advisory. Advisory is sent for review.
2024-05-07: Siemens requested small changes in the Solution and Business
Recommendation.
2024-05-24: Public release of security advisory.
Solution:
---------
The hardware is no longer produced nor offered to the market. Hence HW
adaptions resulting in modified products are not possible anymore. The
described HW behavior on this generation of devices cannot be corrected
by means of FW patches.
The risk of successful exploitation is considered low as physical access to
those devices is needed.
Workaround:
-----------
Make sure to strictly limit physical access to the PLC during and also
after its life cycle.
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Steffen Robertz, Gerhard Hechenberger, Constantin Schieber-Knöbl / @2024