Full Report
Two vulnerabilities have been identified in the LOGO! Soft Comfort software. These could allow an attacker to take over a system with the affected software installed. Siemens has released an update for LOGO! Soft Comfort and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple Flaws in Siemens LOGO! Soft Comfort
## CVE Details
- **CVE ID:** CVE-2020-25243
- **CVSS Score:** 5.1 (Medium)
- **CWE:** CWE-22 (Path Traversal / "Zip Slip")
- **CVE ID:** CVE-2020-25244
- **CVSS Score:** 8.4 (High)
- **CWE:** CWE-427 (Uncontrolled Search Path Element / DLL Hijacking)
## Affected Systems
- **Products:** LOGO! Soft Comfort (Engineering software for LOGO! Base Modules)
- **Versions:** All versions prior to V8.4
- **Configurations:** Systems where project files are imported or the software is executed with high privileges.
## Vulnerability Description
The software suffers from two distinct flaws that, when leveraged, can lead to full system compromise:
1. **Zip Slip (CVE-2020-25243):** An improper limitation of pathnames during the import of project files. An attacker can craft a malicious project file that, when imported, writes files to arbitrary locations outside the intended directory.
2. **DLL Hijacking (CVE-2020-25244):** The software insecurely searches for and loads external libraries. A local attacker can place a malicious DLL in the search path, which the software then executes with its own privilege level.
## Exploitation
- **Status:** PoC available (indicated by CVSS "Exploit Code Maturity: Proof-of-Concept")
- **Complexity:** Low
- **Attack Vector:** Local (Requires the user to import a malicious file or an attacker to have local file system access)
## Impact
- **Confidentiality:** High (Full system takeover possible)
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
- **Update to LOGO! Soft Comfort V8.4 or later.**
- Download Link: hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109826553/
### Workarounds
- **Least Privilege:** Do not run LOGO! Soft Comfort with administrative/root privileges.
- **Access Control:** Restrict access to project files on engineering workstations to trusted users only.
- **Source Validation:** Only import project files from known and trusted sources.
- **Network Segmentation:** Follow Siemens' operational guidelines for Industrial Security to protect the IT/OT environment.
## Detection
- **Indicators of Compromise:** Presence of unexpected DLL files in the software's installation directory or project folders; unauthorized files created in system directories following a project import.
- **Detection Methods:** Monitor file system integrity on engineering stations; audit process execution for LOGO! Soft Comfort to identify unauthorized sub-processes or library loads.
## References
- **Siemens Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-983300[.]html
- **General Security Recommendations:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security
- **Siemens Industrial Security:** hxxps://www[.]siemens[.]com/industrialsecurity