Siemens LOGO! V8.3 BM Devices Plaintext Storage of a Password (CVE-2024-39922)

medium Tenable OT Security Plugin ID 502370

Synopsis

The remote OT asset is affected by a vulnerability.

Description

LOGO! V8.3 BM (incl. SIPLUS variants) devices contain a plaintext storage of a password vulnerability. This could allow an attacker with phyiscal access to an affected device to extract user-set passwords from an embedded storage IC.

Siemens has released new hardware versions with the LOGO! V8.4 BM product family for several affected devices in which the vulnerability is fixed. Siemens is working on new hardware versions for the SIPLUS devices to address this issue further.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

- Currently no fix is planned
- Ensure the physical security of the affected devices to prevent unauthorized access (also see the operational guidelines for Industrial Security)

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security

and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage For more information see the associated Siemens security advisory SSA-921449.

See Also

https://cert-portal.siemens.com/productcert/html/ssa-921449.html

https://www.cisa.gov/news-events/ics-advisories/icsa-24-228-05

Plugin Details

Severity: Medium

ID: 502370

Version: 1.3

Type: remote

Family: Tenable.ot

Published: 9/2/2024

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v3

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 4.2

Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:siemens:siplus_logo%21_8_bm_firmware, cpe:/o:siemens:logo%21_8_bm_firmware

Required KB Items: Tenable.ot/Siemens

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/13/2024

Vulnerability Publication Date: 8/13/2024

Reference Information

CVE: CVE-2024-39922

CWE: 256

ICSA: 24-228-05