Vendor description
"We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers."
Source: https://new.siemens.com/global/en/company/about.html
Business recommendation
According to Siemens PSIRT, the hardware is no longer produced nor offered to the market. Hence HW adaptions resulting in modified products are not possible anymore. The described HW behavior on this generation of devices cannot be corrected by means of FW patches.
The risk of successful exploitation is considered low as physical access to those devices is needed.
SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.
Vulnerability overview/description
1) Exposed Serial Shell on multiple Siemens PLCs
A serial interface can be accessed with physical access to the PCB. After connecting to the interface, access to a shell with various debug functions as well as a login prompt is possible.
Proof of concept
1) Exposed Serial Shell on multiple Siemens PLCs
CP-2016 (Figure 1)
The serial interface on the CP-2016 can be accessed by connecting to the following through hole pins of an unpopulated header:
+-+
|o|
|o|RX
|o|TX
|o|
|o|
|o|GND
+-+CP-2019 (Figure 2)
The serial interface on the CP-2019 can be accessed by connecting to the following through hole pins of an unpopulated header:
+-+
|o|
|o|RX
|o|TX
|o|
|o|
|o|GND
+-+ CP-2014 (Figure 3)
The serial interface on the CP-2014 can be accessed by connecting to the following through hole pins of an unpopulated header:
+-+
|o|GND
|o|
|o|
|o|RX
|o|TX
|o|
+-+CP-2017 (Figure 4)
The serial interface on the CP-2017 can be accessed on the compute module by connecting to pins 9 and 10 on the populated SMD connector:
1 TX RX
'-'-'-'-'-'-'-'-'-'
/-------------------\
| |
|-------------------|
+'-'-'-'-'-'-'-'-'-'+
11 20
CP-5014 (Figure 5)
The serial interface on the CP-5014 can be accessed on the compute module by connecting to pins 1 and 2 on the populated SMD connector:
RX TX 10
'-'-'-'-'-'-'-'-'-'
/-------------------\
| |
|-------------------|
+'-'-'-'-'-'-'-'-'-'+
11 20 All serial connections allow access to the SH1703 shell in version 1.00. The shell requires no authentication and allows the usage of multiple commands.
The following output can be seen on all devices:
---------------------------------------------------
XXXXX XXX XXX X XXXXX XXX XXX
X X X X XXX X X X X X X
X X X X X X X X
XXXXX XXXXX X X X X XX
X X X X X X X X
X X X X X X X X X X
XXXXX XXX XXX XXXXX X XXX XXX
---------------------------------------------------
1703 Shell [V1.00]
(c) by 1703 Development Team
type 'help' or '?' or press 'F1' for help
SH1703>
Initialize system ..
. Init Done.
system startup after Power-Up ...
Install device 'USB Server'.
RTC time not valid
RTC time not valid
RTC time not valid
Reg: 100 Komp: 2 BSE: 20
Hello from <R#100 / K#2 / BSE#2> FW-ID: 2019 FW-Version: 0.06A01
Startup ZBGs ... done.
system ready
SH1703>help
Available commands:
hist Display command history
!<n> Execute <n> command from stack
? [<cmd>] Display this message
help [<cmd>] Display this message
echo <text> Displays text
call <file> Run script file
cls Clear screen
loop <cmd> Loop-execution of cmd
ldfile <file> Load ascii file
db <a> [-b|w|d<x> [-n<x>]] Display memory byte/word/dword
wb <a> <val> [-b|w|d<x>] Write memory byte/word/dword
mb <a> [-b|w|d<x> [-n<x>]] Monitoring memory byte/word/dword
login Login
logoff Logoff
pci ... PCI Commands
bemrk Run Benchmark
drv List installed drives
dir List files in directory
del [<drv:>]<file> Delete file
ren <src> <dest> Rename or move file
cd <dir>|<..> Change current directory or drive
md <dir> Make directory
rd <dir> Remove directory
type [<drv:>]<file> Displays the contents of a file
copy <src> <dest> Copy a file
findstr <file> <str> Find a string in a textfile
mkdisk <drvname> <size> Make a Ramdisk
uidisk <drvname> Close and uninstall a disk
format <drvname> Format drive
mem_wr <addr> <size> <des> Write mem to file
idr Read from diagnostic ring
icr Clear diagnostic ring
idd Debug-Trace ON
bp Read all breakpoint settings
bpf [<file>] Set File for Debugprint (no arg = stdout)
is ... Debugger settings
ig [f|s] Display BPs / Clear all BPs
idb Read DB-Breaks
idt Read DB-Trace Settings
icz Clear breakpoint counters
dev ... ZIO-Device commands
bsp ... bsp commands
ftrc ... FTRC Commands
banner Display the banner
pl Display process list
pi [<appl_nr>] Display process info
ad -c|d|k|s APP-Debug Create|Detach|Kill|Start
tl Display task list (all processes)
tm [-r] Display task monitor (-r = runtime)
tc <taskname> Display task context
td <taskID> Display task descriptor
tq Display task queues
sysztsk Display ZOS-tasks of system process
appztsk [<appl_nr>] Display ZOS-tasks of appl-process(es)
stack Display stack usage of all tasks
stsk -c|d|e|s|r ZOS-Task Create|Del|Exch|Suspend|Resume
tsktrc -s|r|c ZOS-Task-Trace Start|Read|Clear
set [<name>=<val>] Display, set or remove environment variables
time Display the current time
timeset Set the current time
mem Display memory usage
status Display system status informations
ver Display version informations
r Reset system element (R,R Cxx,R Pxx,R Zxx
klog [dis|ena|all] Display, disable or enable kernel logging
psp_info Display prozessor configuration infos
int_info Interrupt-Info-List
int_gen Generate Interrupt (for Admin only)
tlbs Display TLBs
ga [<appl_nr>] Start Subshell of application
tsd Debug Timeserver
mci MCI Commands
usb <cmd> USB commands
mmc <cmd> MMC Commands
zhs ZHS commands
zpv Parameter infos
zdt data transporter
fsn ZIO/FSN statistics
net <enet|emac|mal> <dev> Network statistics
prd <pg> <reg> <len> Read PHY register (len: 8|16|32)
pwr <pg> <reg> <len> <data> Write PHY register (len: 8|16|32)
rmib Reset all statistic counters
scfg Display broadcom switch registers
ipaddr <dev> Display ip addresses on interface
route Display routing table
socket Display socket statistic
tcp Display tcp statistic
udp Display udp statistic
arp Display arp cache
ping host-ipaddr send ICMP ECHO_REQUEST to a host
arl Switch Address Resolution table
ebuf Statistic for Buffer handling FSN
tls_ciph print cipher suites for all connections
tls_obj idx print connection objects
tls_log log level for tls lib
tls_deb idx print connection debug cnts
tlscache print cert/key cache
opensslm print mem pool statistic for openssl
tlsdeb_s START mem pool debug function
tlsdeb_e END mem pool debug function
tlsdeb_r print mem pool debug for openssl
tlsdeb_c CLEAR mem pool debug function
sap special application function
Available Function-Keys:
F1 Help
F2 Display system status informations
F3 Display Last command
F5 Display the current time
F7 History
F8 Display memory usage
F9 Display ZOS-Task Infos
F10 Display Tasklist
F11 Execute Last command
SH1703>Vulnerable / tested versions
The following versions have been tested which were the latest version available
at the time of the test:
- CP-2016: CPCX26 V0.06A01
- CP-2019: PCCX26 V0.06A01
- CP-2014: CPCX25 V0.05A04
- CP-2017: PCCX25 V0.11A10
- CP-5056: CPCX55 V0.10A04