Full Report
LOGO! V8.3 BM (incl. SIPLUS variants) devices contain a vulnerability that could allow an electromagnetic fault injection. This could allow an attacker to dump and debug the firmware, including the manipulation of memory. Further actions could allow to inject public keys of custom created key pairs which are then signed by the LOGO! V8.3 Product CA. The vulnerability is related to the specific hardware architecture of the LOGO! V8.3 BM. Siemens has released new hardware versions with the LOGO! V8.4 BM and the SIPLUS LOGO! V8.4 BM product families for all affected devices in which the vulnerability is fixed and the Product CA private key is rotated. See the chapter “Additional Information” below for more details. For more information please also refer to the related product support article: https://support.industry.siemens.com/cs/ww/en/view/109826554/.
Analysis Summary
# Vulnerability: Electromagnetic Fault Injection Leading to Firmware Dumping in LOGO! V8.3 BM Devices
## CVE Details
- CVE ID: CVE-2022-42784 (Implied via affected products section referencing this CVE)
- CVSS Score: 7.6 (High)
- CWE: Not explicitly stated, but likely related to Hardware Security/Fault Tolerance.
## Affected Systems
- Products: LOGO! V8.3 BM devices (including SIPLUS variants), specifically:
- LOGO! 12/24RCE (HW/SW >= V8.3)
- LOGO! 12/24RCEo (HW/SW >= V8.3)
- LOGO! 230RCE (HW/SW >= V8.3)
- LOGO! 230RCEo (HW/SW >= V8.3)
- LOGO! 24CE (HW/SW >= V8.3)
- LOGO! 24CEo (HW/SW >= V8.3)
- LOGO! 24RCE (HW/SW >= V8.3)
- LOGO! 24RCEo (HW/SW >= V8.3)
- SIPLUS LOGO! V8.3 BM variants.
- Versions: All versions >= V8.3 for the listed models.
- Configurations: Vulnerability is related to the specific hardware architecture of the LOGO! V8.3 BM.
## Vulnerability Description
The devices contain a vulnerability that allows for an **electromagnetic fault injection (EM-FI)** attack against the underlying hardware architecture. Successful exploitation allows an attacker to dump and debug the device firmware, manipulate memory, and subsequently **inject public keys of custom key pairs which are then signed by the vulnerable V8.3 Product Certificate Authority (Product CA)**.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC is implied due to the technical nature and disclosure.
- Complexity: Likely **Medium to High**, as it requires specialized physical access and control over electromagnetic fault injection techniques.
- Attack Vector: **Physical** (Requires proximity for EM injection).
## Impact
Because the Product CA signing mechanism can be compromised:
- Confidentiality: **High** (Firmware contents can be dumped/debugged).
- Integrity: **High** (Memory manipulation and ability to inject fraudulently signed keys).
- Availability: **Low to Medium** (Manipulation of memory could disrupt operation, but primary impact is integrity/confidentiality).
## Remediation
### Patches
No software patch is planned for existing V8.3 hardware. The fix is implemented in new hardware releases:
- **Replacement with LOGO! V8.4 BM and SIPLUS LOGO! V8.4 BM product families.** These new versions incorporate the fix and have rotated the Product CA private key.
**Fixed Hardware Examples (V8.4 replacements):**
- LOGO! 12/24RCE (6ED1052-1MD08-0BA2)
- All other listed models ending in '0BA2' or '7BA2' (SIPLUS).
### Workarounds
Specific workarounds are generally covered in the linked "Workarounds and Mitigations" section of the vendor advisory, but based on the description, immediate technical mitigations are focused on preventing physical access:
- Implement stringent physical access controls to the LOGO! V8.3 BM devices to prevent unauthorized electromagnetic manipulation.
## Detection
- Detection methods are not explicitly detailed in this summary, but indicators would include:
- Unauthorized changes to key material or configurations reliant on the device certificate.
- Monitoring of physical access logs around installed units.
## References
- Vendor Advisory (SSA-844582): SSA-844582
- Product Support Article: hxxps://support.industry.siemens.com/cs/ww/en/view/109826554/