-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-008 Product: easyE4-DC-12TC1 PLC Manufacturer: Eaton Industries GmbH Affected Version(s): HW: 01; BOOT: 1.00 B 1; OS 1.41 B 628 / OS 1.41 B 632 Tested Version(s): HW: 01; BOOT: 1.00 B 1; OS 1.41 B 628 / OS 1.41 B 632 Vulnerability Type: Weak Encoding for Password (CWE-261) Risk Level: Low Solution Status: Fixed Manufacturer Notification: 2023-03-31 Solution Date: 2023-10-19 Public Disclosure: 2023-10-19 CVE Reference: CVE-2023-43776 Author of Advisory: Manuel Stotz, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The easyE4 is a programmable logic controller which can be used, for example, in home automation. The manufacturer describes the product as follows (see [1]): "The easyE4 PLC has 12 I/O and can be expanded to a network of up to 188 I/O points, providing the ideal solution for lighting, energy management, industrial control, irrigation, pump control, HVAC and home automation. In whatever your application, the compact and flexible easyE4 enables control systems that are efficient and effortless to implement. After the easyE4 is installed, changes are easily accomplished through front panel programming, which eliminates the need to change wiring and minimizes downtime. Gain effortless control with the easyE4." Due to implementation issues, it is possible to extract the encoded password and rapidly generate corresponding valid cleartext password candidates. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Eaton's easyE4 PLC offers a password-based protection to lock access to various areas such as access to the Ethernet interface of the device. If the exact password is lost or unknown, it is possible to unlock the protected easyE4 device, but the saved program and all function relay parameters will be lost. However, during a security analysis of an easyE4 program file stored on the microSD, Manuel Stotz found out that it is possible to extract the encoded password and generate corresponding valid cleartext password candidates. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): For demonstrating the described security issue, Manuel Stotz developed a proof-of-concept software tool[4] which allows retrieving the encoded password from the easyE4 program file, e.g. stored on the microSD, and generating suitable password candidates for it. > easy_password_recovery.py MMC syss_prg_pw_222222.prg easy/easySoft password recovery tool by Manuel Stotz, SySS GmbH [*] Start password recovery [*] Found password candidate for encoded password 9fd0204: 222222 [*] Found password candidate for encoded password 9fd0204: Q628AW [*] Found password candidate for encoded password 9fd0204: R0ZUS6 [*] Bye! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: A patched version has been released and end users using an easyE4 with hardware version 08 are requested to upgrade to the latest easyE4 version 2.02 (see [5]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-03-31: Vulnerability reported to manufacturer (no response) 2023-04-12: Vulnerability reported to manufacturer again (no response) 2023-05-02: Vulnerability reported to manufacturer again (no response) 2023-06-16: Vulnerability reported to manufacturer again (immediate response / request for details) 2023-06-30: Response: Issue confirmed by manufacturer 2023-10-19: Manufacturer releases the patched version of easySoft firmware 2023-10-19: Public release of security advisory 2023-11-07: Public release of PoC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for easyE4 nano programmable logic controllers https://www.eaton.com/us/en-us/catalog/machinery-controls/easye4.html [2] SySS Security Advisory SYSS-2023-008 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-008.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Proof of Concept (PoC) https://github.com/SySS-Research/easy-password-recovery [5] Eaton Vulnerability Advisory https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2023-1010.pdf ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Manuel Stotz of SySS GmbH. E-Mail: manuel.stotz (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc Key Fingerprint: F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE8FFbdH5wGT5/ZgEz55D2irzmjG0FAmVeD0wACgkQ55D2irzm jG03bRAAiFANIk12/ZkrKdxpzxZecM43j81wnARNBI6NbS/ErH0K8GErX7QGeITl CrHcBjnvww7BtWBOn7jQF9PkA2EBEHHbEjxSvJ5bWf/RuOZ2nHFhaYohduVaYY9G qUoLV5WqQjUXjTHQR+LJJZf6G5XTmNGop7Gdm2CTSQj6bx3e26xReZQy1yMVaP/2 /9EsHjlS+k/ItJvQoAHdmaAOKw/UhY2n8LSTJu7QdYZtBLDZ/gVHNfRAb2owmb+I ffHrAbz+Giog/rase0r1dlQvlKdTLizRxbM5WDLt7B+I47w5sH82AC11MV2praEe c7aKM7RQIXWPsthrsnmPBVEDUt49x2dbTxOWP2elBJX0fyci5zVo8o4lucberfyo AJQMDoXbDcEl6q4DaBL3vOrD2IJ8xxT70tZO1BAKvrDR/oX59k9C9HW1Th/MsqeC ZFdGd4zwXvl281iqEHx9dtE96lt3AtTBBLSMMeG6SLeb6dxCZCYSwNLrlnoLfng2 3Q74sCV+whkqMpkdAj8wF+FfqoAZ393a/NXO5eYu8KtpKYUK4nAcgxGjyafbQvMi 1hCaZ+2GF4eAQ+wRhXH0XaOPyMIAMCO2mUCVHmjLd6ZwUb5QcFMsSxvTwQvmaHC2 fQ6wrdwsGnBTk5CWq/pKvQE9k/GFfhvGuP2UTuVURnjz05P9ZfY= =Xdu0 -----END PGP SIGNATURE-----