Siemens Unlocked JTAG Interface / Buffer Overflow

2024.12.05
Risk: High
Local: Yes
Remote: No
CWE: CWE-119

SEC Consult Vulnerability Lab Security Advisory < 20241125-0 > ======================================================================= title: Unlocked JTAG interface and buffer overflow product: Siemens SM-2558 Protocol Element (extension module for Siemens SICAM AK3/TM/BC), Siemens CP-2016 & CP-2019 vulnerable version: JTAG: Unknown HW revision, Zynq Firmware Version 10A45 Buffer overflow: <V10.46 (ETA4), <V03.27 (ETA5), <V06.02 (CPCX26), <V06.05 (PCCX26) fixed version: JTAG: SM-2558 hardware is EOL Buffer overflow: V06.02 (CPCX26), V10.46 (ETA4), V03.27 (ETA5), V06.05 (PCCX26) impact: High homepage: https://www.siemens.com found: 2023-07-11 by: Stefan Viehböck (Office Linz) Constantin Schieber-Knöbl (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers." Source: https://new.siemens.com/global/en/company/about.html Business recommendation: ------------------------ Upgrade to the latest firmware version to mitigate the buffer overflow. The hardware (SM-2558) is considered end of life (EOL), thus no new version with a fixed JTAG will be released. Restrict physical access to the device. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Unlocked JTAG Interface of Zynq-7000 on SM-2558 The JTAG interface can be accessed with physical access to the PCB. After slightly modifying the hardware it is possible to connect to the interface with full access to the communication module. 2) Buffer Overflow on the Webserver of the SM-2558, CP-2016 & CP-2019 (CVE-2024-31484) The webserver running on the SM-2558 device as well as CP-2016 and CP-2019 is vulnerable to a buffer overflow vulnerability. The value of the HTTP header "Session-ID" is processed and used in an "sprintf" call without proper length checking. The target buffer is in the BSS segment and likely 1024 bytes in length. The buffer overflows into several other global data structures. Proof of concept: ----------------- 1) Unlocked JTAG Interface of Zynq-7000 on SM-2558 The JTAG interface pins (TDI, TDO, TCK, TMS, GND) are accessible on a populated 20-pin header on the PCB (see [figure_1]). A removed connection needs to be restored by soldering an additional wire between two exposed contacts (see [figure_2]), as the JTAG interface of the Zynq-7000 is daisy-chained with the JTAG interface of the Broadcom BCM53101M Ethernet controller. The pad in question connects to pin A57 (TDI) of the Ethernet controller. After connecting to the pins, a connection to the Zynq-7000 JTAG interface is possible. E.g., memory can be dumped ([figure_5]), execution can be single stepped ([figure_4]) or halted ([figure_3]), and variables changed. This grants an attacker with physical access full control of the communication module. 2) Buffer Overflow on the Webserver of the SM-2558, CP-2016 & CP-2019 (CVE-2024-31484) The vulnerability can be triggered with a HTTP POST request similar to the following one: POST /SICAM_TOOLBOX_1703_remote_connection_01.htm HTTP/1.1 User-Agent: SICAM TOOLBOX II Version: 1 Session-ID: 3814280BA9922f30_BOF_PAYLOAD_HERE Sequence-ID: 525 Content-Length: 54 Content-Type: text/plain KeepAlive: 5 Connection: close type=1&length=15&data=0780640202fef1e60000feff0100c2 Here are a few observations with different Session-ID values: a) Session ID value 3814280BA9922f30 results in normal behavior HTTP/1.1 200 OK Server: SICAM 1703 Version: 1 Session-ID: 3814280BA992fd0 Sequence-ID: 1 Content-Type: text/plain Content-Length: 8 type=4 b) Session ID value 3814280BA992fd00000000000000 results in normal behavior HTTP/1.1 200 OK Server: SICAM 1703 Version: 1 Session-ID: 3814280BA992fd00000000000000 Sequence-ID: 1 Content-Type: text/plain Content-Length: 0 c) Session ID value 3814280BA992fd00000000000000... (in total 618 characters) results in three HTTP responses HTTP/1.1 200 OK Server: SICAM 1703 Version: 1 Session-ID: 3814280BA992fd000000HTTP/1.1 200 OK Server: SICAM 1703 Version: 1 Session-ID: 3814280BA992fd000000HTTP/1.1 200 OK Server: SICAM 1703 Version: 1 Session-ID: 3814280BA992 Sequence-ID: 1 Content-Type: text/plain Content-Length: 8 type=4 d) Session ID value 3814280BA992fd00000000000000... (in total 1260 characters) results in a HTTP 500 - internal server error HTTP/1.1 500 Internal Server Error Content-Type: text/html Content-Length: 198 <html><head><title>500 Internal Server Error</title></head><body><h1>Internal Server Error</h1><p>Sorry, an unexpected internal server error occurred while processing your request.</p></body></html> Pseudocode of vulnerable function: [...] sessiond_id = (char *)get_http_header(a1, (int)"Session-ID"); <<<<<<<<<<<<<<<< session_id is extracted from HTTP request if ( !sessiond_id ) goto LABEL_194; if ( unk_51CD1C ) { v11 = 0; } else { sub_3DB0E4((unsigned int)byte_51CD08, (unsigned int)sessiond_id, 0x14u); v11 = 1; } if ( sub_15332C() == 1 ) { v134 = 0; if ( sub_155BC4(a1, (int)v133) || !v134 ) { LABEL_49: sequence_id = get_http_header_int(a1, "Sequence-ID"); sprintf( <<<<<<<<<<<<<<<< response_buffer overflows here response_buffer, "HTTP/1.1 200 OK\r\n" "Server: %s\r\n" "Version: %u\r\n" "Session-ID: %s\r\n" "Sequence-ID: %lu\r\n" "Content-Type: text/plain\r\n" "Content-Length: 0\r\n" "\r\n", "SICAM 1703", 1, sessiond_id, sequence_id); [...] Vulnerable / tested versions: ----------------------------- The following version has been tested which was the latest version available at the time of the test: - Webserver that runs on Firmware Version 10A45 of the Zynq FPGA. - The Hardware revision of the device was unknown. According to the vendor, the following firmware versions for the SM-2558 are affected by CVE-2024-31484: * ETA4 Ethernet Interface IEC60870-5-104: All versions < V10.46 * ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2: All versions < V03.27 Note that the same vulnerability exists as well in other products' firmware versions, namely: * CPCX26 Central Processing/Communication for CP-2016: All versions < V06.02 * PCCX26 Ax 1703 PE, Contr, Communication Element for CP-2019: All versions < V06.05 Vendor contact timeline: ------------------------ 2024-03-05: Contacting vendor through productcert@siemens.com 2024-03-06: Siemens tracks this as #22436 2024-04-03: Requested status update. 2024-04-03: Siemens can reproduce vulnerabilities and will evaluate buffer overflow. Hardware is EOL, no fix for the JTAG issue. 2024-06-11: Siemens publishes SSA-620338 and confirms the buffer overflow. 2024-07 - 2024-09: Various vacation / absences, delaying advisory coordination. 2024-10-22: Meeting with ProductCERT, discussing release of SM-2558 advisory. 2024-10-31: Sending advisory draft to ProductCERT. 2024-11-14: Receiving feedback on advisory draft. 2024-11-19: Sending updated advisory to ProductCERT. 2024-11-25: Coordinated release of advisory. Solution: --------- The vendor provides patches for the affected devices / components to fix CVE-2024-31484: * ETA4 for SM-2558: Upgrade to V10.46 * ETA5 for SM-2558: Upgrade to V03.27 * CPCX26 for CP-2016: Upgrade to V06.02 * PCCX26 for CP-2019: Upgrade to V06.05 More detailed information can be found in the Siemens Security Advisory SSA-620338: https://cert-portal.siemens.com/productcert/html/ssa-620338.html The hardware (SM-2558) is considered end of life (EOL), thus no new version with a fixed JTAG will be released. Restrict physical access to the device. Workaround: ----------- Make sure to strictly limit physical access to the PLCs containing the protocol element during and also after its life cycle. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Constantin Schieber-Knöbl, Stefan Viehböck / @2024


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top