SSA-921449: Plaintext Storage of a Password Vulnerability in LOGO! V8.3 BM Devices

Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

• CVE-2024-39922: Ensure the physical security of the affected devices to prevent unauthorized access (also see theoperational guidelines for Industrial Security, especially: "Plant security: Physical prevention of access to critical components")

Please follow theGeneral Security Recommendations.

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download:https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at:https://www.siemens.com/industrialsecurity

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

Siemens has released new hardware versions with the LOGO! V8.4 BM product family for several affected devices in which the vulnerability is fixed:

• LOGO! 12/24RCE (6ED1052-1MD08-0BA2)
• LOGO! 12/24RCEo (6ED1052-2MD08-0BA2)
• LOGO! 24CE (6ED1052-1CC08-0BA2)
• LOGO! 24CEo (6ED1052-2CC08-0BA2)
• LOGO! 24RCE (6ED1052-1HB08-0BA2)
• LOGO! 24RCEo (6ED1052-2HB08-0BA2)
• LOGO! 230RCE (6ED1052-1FB08-0BA2)
• LOGO! 230RCEo (6ED1052-2FB08-0BA2)

Siemens is working on new hardware versions for the SIPLUS devices to address this issue further.