Siemens LOGO! Insufficient Verification of Data Authenticity (CVE-2022-36360)

high Tenable OT Security Plugin ID 501668

Synopsis

The remote OT asset is affected by a vulnerability.

Description

A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). Affected devices load firmware updates without checking the authenticity. Furthermore the integrity of the unencrypted firmware is only verified by a non-cryptographic method. This could allow an attacker to manipulate a firmware update and flash it to the device.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Siemens recommends users update to V8.3 or later and to obtain and install firmware upgrades only from official sources.

For more information, see Siemens Security Advisory SSA-928782 in HTML or CSAF.

See Also

https://cert-portal.siemens.com/productcert/pdf/ssa-928782.pdf

https://www.cisa.gov/news-events/ics-advisories/icsa-22-286-01

Plugin Details

Severity: High

ID: 501668

Version: 1.5

Type: remote

Family: Tenable.ot

Published: 9/21/2023

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2022-36360

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:siemens:logo%21_8_bm_firmware, cpe:/o:siemens:logo%218_bm_fs-05_firmware

Required KB Items: Tenable.ot/Siemens

Exploit Ease: No known exploits are available

Patch Publication Date: 10/11/2022

Vulnerability Publication Date: 10/11/2022

Reference Information

CVE: CVE-2022-36360

CWE: 345, 354

ICSA: 22-286-01