-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-007 Product: easySoft Manufacturer: Eaton Industries GmbH Affected Version(s): V7.01 Build 1304 / V8.00 Build 3130 Tested Version(s): V7.01 Build 1304 / V8.00 Build 3130 Vulnerability Type: Plaintext Storage of a Password (CWE-256) Risk Level: Low Solution Status: Fixed Manufacturer Notification: 2023-03-31 Solution Date: 2023-10-19 Public Disclosure: 2023-10-19 CVE Reference: CVE-2023-43777 Author of Advisory: Manuel Stotz, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The easySoft software is used to program easy controllers. The manufacturer describes the product as follows (see [1]): "Eaton's easySoft software is used to program easy controllers and displays. The software provides circuit diagram input and editing and the diagrams can be displayed in the format desired. An integrated offline simulation tool allows users to test a circuit diagram before commissioning. It supports users who are configuring, programming and defining parameters for all the intelligent relays and creating visualization functions for the MFD displays." Due to implementation issues, it is possible to retrieve the password from the easySoft project file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Eaton's easySoft software offers a password protection function for easySoft project files. This is to protect the configuration, the program, et cetera from unauthorized access and modifications. The use of this function is suggested by the software. However, during a security analysis of a project using this feature, Manuel Stotz found out that it is possible to extract the plaintext password from the easySoft project file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): For demonstrating the described security issue, Manuel Stotz developed a proof-of-concept software tool[4] which allows retrieving the password from the easySoft project file. > easy_password_recovery.py PRJ syss_prj_pw_123456.e80 easy/easySoft password recovery tool by Manuel Stotz, SySS GmbH [*] Start password recovery [*] Found password 123456 [*] Bye! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: A patched version has been released and end users are requested to upgrade to the latest easySoft software version 8.0.1 (see [5]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-03-31: Vulnerability reported to manufacturer (no response) 2023-04-12: Vulnerability reported to manufacturer again (no response) 2023-05-02: Vulnerability reported to manufacturer again (no response) 2023-06-16: Vulnerability reported to manufacturer again (immediate response / request for details) 2023-06-30: Response: Issue confirmed by manufacturer 2023-10-19: Manufacturer releases the patched version of easySoft 2023-10-19: Public release of security advisory 2023-11-07: Public release of PoC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for easySoft https://www.eaton.com/us/en-us/catalog/machinery-controls/easysoft.html [2] SySS Security Advisory SYSS-2023-007 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-007.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Proof of Concept (PoC) https://github.com/SySS-Research/easy-password-recovery [5] Eaton Vulnerability Advisory https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2023-1011.pdf ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Manuel Stotz of SySS GmbH. E-Mail: manuel.stotz (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc Key Fingerprint: F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE8FFbdH5wGT5/ZgEz55D2irzmjG0FAmVeDzgACgkQ55D2irzm jG3jLw/6A2hJJ/jZoA7WbrPrPYq/RImneqDb8XQRpIA5qU5QgHVIvrb5dhXnWjbi 7J83emWdqIWiAlFHKSRmJyqqgBy4cmvtQvyoGfUR2jZIfjJ+/Y4a6PrrKg8AjJLM ITvU/FK1pmdZuqYtbmPI+NXBHgyJWrM6v4MWDvRd6Yh0C7DOHbcfY35sWV/xcZ1w eMpRqUPZ7VHxPzFWqWU5XJsYCXA8zkIzBASz06ooadgSscOfRp4UodlP/SNqanp7 WVBBgvkHznMM8nO/Mmiq11p3PiJ9goqMwSHOaflIHEE6GRDrU29dpVFEHVfbyr7t sn4UmSv+Dcv9nDg6tnFRFC9A243J542mx7cKdNn6xJJ95P5Y7jO3JcSZ543Nimdj JZlf7y6lL3S3GWIkbKTsH+6Xq3Lf/uOrfUHpj9Erz+80/kFsT/KjZUSWrx7xAMIN q9oDXshtBnhlY5n04z1YhKLDTsWxhNXlV2NMci3iBMHHjsEgh39eLnu8uEmVvQSX Ckly+17EE2MD2ELVpiBtwnCmawpWaLAE1Nz7/Y1/ScEsOH+xxgZfO98tAbME+25D sJYVqmr9fXb5tK9tUV4+V1sjSCe0mc9a8cxfG//tuSg0NgbDPbGOnPrbjFi8WHty cTj3HFD3AcaEoVKmNz7MJmNaB/8R2drW5KcWwFgJGFGxpP18P8g= =zHJN -----END PGP SIGNATURE-----