Exposed Serial Shell on multiple PLCs in Siemens CP-XXXX Series

Title

Exposed Serial Shell on multiple PLCs

Product

Siemens CP-XXXX Series (CP-2014, CP-2016, CP-2017, CP-2019, CP-5014)

Vulnerable Version

All hardware revisions

Fixed Version

Hardware is EOL, no fix

CVE Number

-

Impact

low

Found

01.06.2023

By

Steffen Robertz, Gerhard Hechenberger, Constantin Schieber-Knöbl (Office Vienna) | SEC Consult Vulnerability Lab

Physical access to multiple Siemens CP-XXXX PLC system modules on SICAM AK3, SICAM AK and SICAM BC allows an attacker with physical access to connect to an unprotected UART serial shell. From here, an attacker can fully debug the device, read and write memory and modify executed tasks.

Vendor description

"We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers."

Source: https://new.siemens.com/global/en/company/about.html


Business recommendation

According to Siemens PSIRT, the hardware is no longer produced nor offered to the market. Hence HW adaptions resulting in modified products are not possible anymore. The described HW behavior on this generation of devices cannot be corrected by means of FW patches.

The risk of successful exploitation is considered low as physical access to those devices is needed.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.


Vulnerability overview/description

1) Exposed Serial Shell on multiple Siemens PLCs

A serial interface can be accessed with physical access to the PCB. After connecting to the interface, access to a shell with various debug functions as well as a login prompt is possible.


Proof of concept

1) Exposed Serial Shell on multiple Siemens PLCs

CP-2016 (Figure 1)

The serial interface on the CP-2016 can be accessed by connecting to the following through hole pins of an unpopulated header:

 +-+
 |o|
 |o|RX
 |o|TX
 |o|
 |o|
 |o|GND
 +-+

CP-2019 (Figure 2)

The serial interface on the CP-2019 can be accessed by connecting to the following through hole pins of an unpopulated header:

 +-+
 |o|
 |o|RX
 |o|TX
 |o|
 |o|
 |o|GND
 +-+  

CP-2014 (Figure 3)

The serial interface on the CP-2014 can be accessed by connecting to the following through hole pins of an unpopulated header:

 +-+
 |o|GND
 |o|
 |o|
 |o|RX
 |o|TX
 |o|
 +-+

CP-2017 (Figure 4)

The serial interface on the CP-2017 can be accessed on the compute module by connecting to pins 9 and 10 on the populated SMD connector:

  1              TX RX
  '-'-'-'-'-'-'-'-'-'
 /-------------------\
 |                   |
 |-------------------|
 +'-'-'-'-'-'-'-'-'-'+
  11                20  

CP-5014 (Figure 5)

The serial interface on the CP-5014 can be accessed on the compute module by connecting to pins 1 and 2 on the populated SMD connector:

 RX TX              10
  '-'-'-'-'-'-'-'-'-'
 /-------------------\
 |                   |
 |-------------------|
 +'-'-'-'-'-'-'-'-'-'+
  11                20 

All serial connections allow access to the SH1703 shell in version 1.00. The shell requires no authentication and allows the usage of multiple commands.

The following output can be seen on all devices:

---------------------------------------------------
   XXXXX  XXX XXX      X     XXXXX    XXX     XXX  
  X     X  X   X     XXX     X   X   X   X   X   X 
  X        X   X       X        X    X   X       X 
   XXXXX   XXXXX       X        X    X   X     XX  
        X  X   X       X       X     X   X       X 
  X     X  X   X       X      X      X   X   X   X 
   XXXXX  XXX XXX    XXXXX    X       XXX     XXX  
---------------------------------------------------

1703 Shell [V1.00]
(c) by 1703 Development Team

type 'help' or '?' or press 'F1' for help

SH1703>

Initialize system ..
. Init Done.

system startup after Power-Up ...
Install device 'USB Server'.

 RTC time not valid 

 RTC time not valid 

 RTC time not valid 
Reg: 100 Komp: 2 BSE: 20
Hello from <R#100 / K#2 / BSE#2> FW-ID: 2019 FW-Version: 0.06A01 
Startup ZBGs ... done.

system ready
SH1703>help
Available commands:
 hist                             Display command history
!<n>                             Execute <n> command from stack
 ?        [<cmd>]                 Display this message
 help     [<cmd>]                 Display this message
 echo     <text>                  Displays text
 call     <file>                  Run script file
 cls                              Clear screen
 loop     <cmd>                   Loop-execution of cmd
 ldfile   <file>                  Load ascii file
 db       <a> [-b|w|d<x> [-n<x>]] Display memory byte/word/dword
 wb       <a> <val> [-b|w|d<x>]   Write memory byte/word/dword
 mb       <a> [-b|w|d<x> [-n<x>]] Monitoring memory byte/word/dword
 login                            Login
 logoff                           Logoff
 pci      ...                     PCI Commands
 bemrk                            Run Benchmark
 drv                              List installed drives
 dir                              List files in directory
 del      [<drv:>]<file>          Delete file
 ren      <src> <dest>            Rename or move file
 cd       <dir>|<..>              Change current directory or drive
 md       <dir>                   Make directory
 rd       <dir>                   Remove directory
 type     [<drv:>]<file>          Displays the contents of a file
 copy     <src> <dest>            Copy a file
 findstr  <file> <str>            Find a string in a textfile
 mkdisk   <drvname> <size>        Make a Ramdisk
 uidisk   <drvname>               Close and uninstall a disk
 format   <drvname>               Format drive
 mem_wr   <addr> <size> <des>     Write mem to file
 idr                              Read from diagnostic ring
 icr                              Clear diagnostic ring
 idd                              Debug-Trace ON
 bp                               Read all breakpoint settings
 bpf      [<file>]                Set File for Debugprint (no arg = stdout)
 is       ...                     Debugger settings
 ig       [f|s]                   Display BPs / Clear all BPs
 idb                              Read DB-Breaks
 idt                              Read DB-Trace Settings
 icz                              Clear breakpoint counters
 dev      ...                     ZIO-Device commands
 bsp      ...                     bsp commands
 ftrc     ...                     FTRC Commands
 banner                           Display the banner
 pl                               Display process list
 pi       [<appl_nr>]             Display process info
 ad       -c|d|k|s                APP-Debug Create|Detach|Kill|Start
 tl                               Display task list (all processes)
 tm       [-r]                    Display task monitor (-r = runtime)
 tc       <taskname>              Display task context
 td       <taskID>                Display task descriptor
 tq                               Display task queues
 sysztsk                          Display ZOS-tasks of system process
 appztsk  [<appl_nr>]             Display ZOS-tasks of appl-process(es)
 stack                            Display stack usage of all tasks
 stsk     -c|d|e|s|r              ZOS-Task Create|Del|Exch|Suspend|Resume
 tsktrc   -s|r|c                  ZOS-Task-Trace Start|Read|Clear
 set      [<name>=<val>]          Display, set or remove environment variables
 time                             Display the current time
 timeset                          Set the current time
 mem                              Display memory usage
 status                           Display system status informations
 ver                              Display version informations
 r                                Reset system element (R,R Cxx,R Pxx,R Zxx
 klog     [dis|ena|all]           Display, disable or enable kernel logging
 psp_info                         Display prozessor configuration infos                    
 int_info                         Interrupt-Info-List                                      
 int_gen                          Generate Interrupt (for Admin only)                      
 tlbs                             Display TLBs                                             
 ga       [<appl_nr>]             Start Subshell of application                            
 tsd                              Debug Timeserver                                         
 mci                              MCI Commands                                             
 usb      <cmd>                   USB commands                                             
 mmc      <cmd>                   MMC Commands                                             
 zhs                              ZHS commands                                             
 zpv                              Parameter infos                                          
 zdt                              data transporter                                         
 fsn                              ZIO/FSN statistics                                       
 net      <enet|emac|mal> <dev>   Network statistics                                       
 prd      <pg> <reg> <len>        Read PHY register (len: 8|16|32)                         
 pwr      <pg> <reg> <len> <data> Write PHY register (len: 8|16|32)                        
 rmib                             Reset all statistic counters                             
 scfg                             Display broadcom switch registers                        
 ipaddr   <dev>                   Display ip addresses on interface                        
 route                            Display routing table
 socket                           Display socket statistic
 tcp                              Display tcp statistic
 udp                              Display udp statistic
 arp                              Display arp cache
 ping     host-ipaddr             send ICMP ECHO_REQUEST to a host
 arl                              Switch Address Resolution table 
 ebuf                             Statistic for Buffer handling FSN
 tls_ciph                         print cipher suites for all connections
 tls_obj  idx                     print connection objects               
 tls_log                          log level for tls lib                  
 tls_deb  idx                     print connection debug cnts            
 tlscache                         print cert/key cache                   
 opensslm                         print mem pool statistic for openssl   
 tlsdeb_s                         START mem pool debug function          
 tlsdeb_e                         END mem pool debug function       
 tlsdeb_r                         print mem pool debug for openssl       
 tlsdeb_c                         CLEAR mem pool debug function          
 sap                              special application function
Available Function-Keys:
 F1     Help
 F2     Display system status informations
 F3     Display Last command
 F5     Display the current time
 F7     History
 F8     Display memory usage
 F9     Display ZOS-Task Infos
 F10    Display Tasklist
 F11    Execute Last command
SH1703>

Vulnerable / tested versions

The following versions have been tested which were the latest version available
at the time of the test:

  • CP-2016: CPCX26 V0.06A01
  • CP-2019: PCCX26 V0.06A01
  • CP-2014: CPCX25 V0.05A04
  • CP-2017: PCCX25 V0.11A10
  • CP-5056: CPCX55 V0.10A04

Vendor contact timeline

2024-03-05 Contacting vendor through productcert@siemens.com
2024-03-06 Siemens tracks this issue as case #04393
2024-04-03 Requested status update.
2024-04-03 Product is EOL, no fix planned.
2024-04-29 Informed Siemens about planned publication of advisory.
2024-04-30 Siemens, requests draft of advisory. Advisory is sent for review.
2024-05-07 Siemens requested small changes in the Solution and Business Recommendation.
2024-05-24 Public release of security advisory.

Solution

According to Siemens PSIRT, the hardware is no longer produced nor offered to the market. Hence HW adaptions resulting in modified products are not possible anymore. The described HW behavior on this generation of devices cannot be corrected by means of FW patches.

The risk of successful exploitation is considered low as physical access to those devices is needed.


Workaround

Make sure to strictly limit physical access to the PLC during and also after its life cycle.

 

Advisory URL

https://sec-consult.com/vulnerability-lab/

EOF Steffen Robertz, Gerhard Hechenberger, Constantin Schieber-Knöbl @2024

 

Interested to work with the experts of SEC Consult? Send us your application

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices