SB2020061029 - Missing Authentication for Critical Function in Siemens LOGO!8 BM
Published: June 10, 2020
Security Bulletin ID
SB2020061029
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Missing Authentication for Critical Function (CVE-ID: CVE-2020-7589)
The vulnerability allows a remote attacker to bypass authentication checks.
The vulneability exists due to the affected product is missing authentication in the TDE service functionality in "NFSAccess" and "DELETEPROG" functions. A remote attacker with access to Port 135/TCP can read and modify the device configuration and obtain project files from the devices.
Remediation
Install update from vendor's website.
References
- https://ics-cert.us-cert.gov/advisories/icsa-20-161-03
- https://cert-portal.siemens.com/productcert/pdf/ssa-817401.pdf
- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1026
- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1025
- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1024