Full Report
LOGO! 8 BM (incl. SIPLUS variants) contains multiple web-related vulnerabilities. These could allow an attacker to execute code remotely, put the device into a denial of service state or retrieve parts of the memory. The vulnerabilities are related to the hardware of the product. Siemens has released new hardware versions with the LOGO! V8.4 BM and the SIPLUS LOGO! V8.4 BM product families for all affected devices in which several of those vulnerabilities are fixed. See the chapter “Additional Information” below for more details. For more information please also refer to the related product support article: https://support.industry.siemens.com/cs/ww/en/view/109826554/.
Analysis Summary
# Vulnerability: Multiple Web-Related Flaws in Siemens LOGO! 8 BM
## CVE Details
- **CVE ID:** CVE-2022-36361, CVE-2022-36362, CVE-2022-36363
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-200 (Information Exposure)
## Affected Systems
- **Products:**
- LOGO! 8 BM (Base Module)
- SIPLUS LOGO! 8 BM variants
- **Versions:**
- LOGO! V8.3 BM (All versions)
- LOGO! 12/24RCE, 12/24RCEo, 230RCE, 230RCEo, 24CE, 24CEo, 24RCE, 24RCEo (Product family 0BA1)
- **Configurations:** Devices with the web server enabled are primarily at risk.
## Vulnerability Description
The affected devices contain multiple vulnerabilities within their integrated web server component.
- **Remote Code Execution (RCE):** Buffer overflow vulnerabilities allow an unauthenticated attacker to send specially crafted packets to the web server to execute arbitrary code.
- **Denial of Service (DoS):** Attackers can trigger a state where the device becomes unresponsive, requiring a manual restart.
- **Memory Disclosure:** Flaws allow the retrieval of sensitive parts of the device's memory, potentially exposing configuration details or credentials.
## Exploitation
- **Status:** PoC not publicly mentioned in the advisory; no confirmed exploitation in the wild at the time of publication.
- **Complexity:** Medium
- **Attack Vector:** Network (Can be exploited remotely if the web interface is reachable).
## Impact
- **Confidentiality:** High (Memory contents can be read).
- **Integrity:** High (Remote code execution allows for system modification).
- **Availability:** High (Device can be crashed/rendered inoperable).
## Remediation
### Patches
Because these vulnerabilities are related to the hardware architecture of the 0BA1 series, direct software patches for older units are not available. Siemens has released **new hardware versions (LOGO! V8.4 BM / 0BA2 series)** that fix CVE-2022-36361 and CVE-2022-36363.
**Fixed Hardware Models (0BA2 Series):**
- LOGO! 12/24RCE (6ED1052-1MD08-0BA2)
- LOGO! 12/24RCEo (6ED1052-2MD08-0BA2)
- LOGO! 230RCE (6ED1052-1FB08-0BA2)
- LOGO! 230RCEo (6ED1052-2FB08-0BA2)
- LOGO! 24CE (6ED1052-1CC08-0BA2)
- SIPLUS variants (e.g., 6AG1052-1MD08-7BA2)
### Workarounds
For 0BA1/V8.3 hardware where no fix is planned:
1. **Disable the Web Server:** If not required for operation, disable the web interface entirely.
2. **Network Isolation:** Ensure the device is not accessible via the internet.
3. **VPN/Firewalls:** Use secure VPN tunnels for remote access and implement strict firewall rules to restrict traffic to trusted IPs only.
4. **Defense in Depth:** Follow Siemens' recommended security guidelines for Industrial Control Systems.
## Detection
- **Indicators of Compromise:** Unexpected device reboots, inability to access the web interface, or unusual network traffic on ports 80/443 pointing to the LOGO! device.
- **Detection Methods:** Monitor network logs for malformed HTTP requests or buffer overflow patterns targeting PLC management ports.
## References
- **Vendor Advisory:** SSA-955858
- **Siemens Support:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109826554/
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories