-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-009 Product: easyE4-DC-12TC1 PLC Manufacturer: Eaton Industries GmbH Affected Version(s): HW: 01; BOOT: 1.00 B 1; OS 1.41 B 628 Tested Version(s): HW: 01; BOOT: 1.00 B 1; OS 1.41 B 628 Vulnerability Type: On-Chip Debug and Test Interface With Improper Access Control (CWE-1191) Risk Level: Low Solution Status: Open Manufacturer Notification: 2023-03-31 Solution Date: - Public Disclosure: 2023-10-19 CVE Reference: - Author of Advisory: Manuel Stotz, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The easyE4 is a programmable logic controller which can be used, for example, in home automation. The manufacturer describes the product as follows (see [1]): "The easyE4 PLC has 12 I/O and can be expanded to a network of up to 188 I/O points, providing the ideal solution for lighting, energy management, industrial control, irrigation, pump control, HVAC and home automation. In whatever your application, the compact and flexible easyE4 enables control systems that are efficient and effortless to implement. After the easyE4 is installed, changes are easily accomplished through front panel programming, which eliminates the need to change wiring and minimizes downtime. Gain effortless control with the easyE4." Due to configuration issues, it is possible to debug the easyE4 via SWD/JTAG or to extract the firmware and the saved configuration. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Eaton's easyE4 PLC is based, among other things, on an STM32L4 microcontroller. This controller series provides various protection mechanisms to prevent different types of attacks against the controller itself and the stored firmware. One of them is the so-called readout protection (RDP) which should protect against dumping or debugging, for example. However, during a security analysis of an easyE4-DC-12TC1 PLC, Manuel Stotz found out that this protection feature is not used and therefore it is possible to either debug the easyE4 via SWD/JTAG or dump the firmware and the saved configuration. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Open the device, connect a suitable debug probe according to the list below, and start debugging or dumping. Pin layout on the back (top left) of the main pcb: NC VSS - TDI NRST SWCLK VDD NC NC VDD - SWO/TDO NTRST SWDIO/TMS VSS NC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is not aware of a solution for the described security issue. According to Eaton, the problem is no longer present in newer versions (hardware version 08; firmware version 2.00; easySoft version 8.00). Eaton is working on issuing an end-of-life notification for older versions of EasyE4 in the near future. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-03-31: Vulnerability reported to manufacturer (no response) 2023-04-12: Vulnerability reported to manufacturer again (no response) 2023-05-02: Vulnerability reported to manufacturer again (no response) 2023-06-16: Vulnerability reported to manufacturer again (immediate response / request for details) 2023-06-30: Response: The problem has already been fixed by the manufacturer for newer versions 2023-10-19: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for easyE4 nano programmable logic controllers https://www.eaton.com/us/en-us/catalog/machinery-controls/easye4.html [2] SySS Security Advisory SYSS-2023-009 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-009.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Manuel Stotz of SySS GmbH. E-Mail: manuel.stotz (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc Key Fingerprint: F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE8FFbdH5wGT5/ZgEz55D2irzmjG0FAmVeD10ACgkQ55D2irzm jG0YHxAAnbGNUU1bn/6UL/nvWc/1po2ckeBk0tAvXv7U3JJklni73MR2T9VziHv6 Wltu6rlBQrqgtnqsJ3+3rFcwOOixIIay9FLHyXfS2o7AIkZv7ci+p6X+CiO0DHhQ Saw1MjXTEuEGWKyamvvF8Q+4oV1LVHfoL/kHr3JMDROqrV5CpiPTmYEv8paQg3jq UMTUQN1OwYQ7C4IyUgCLctmIqRwxzpNCeg9FmOQ4f8Gcbkg9STZfEFjCBZojHUqr wx0xDP6Am/9RHd2lEM7LCD+FG4VPicdohU0U1hfv2f76o0aBovacCtcFVmgkJtLy UjSBgBfdyfvdZ2N/Z38HdVQz5VUtdJQUbpHQWiI7uBUlIP2rgxdIyDYj4MQpa5w+ Yl5BjOg/K3WoABt/gt41RAuHt8djxA6OTxz0ZNjKe9lpqQayNlEZCYlrj8Vpae+G uv/yomMAOaC2A6RUOoizV3+uGsqrHMCNotVqenNZvSMd0NdPTz5QZgeWdADKRfqY rDKCc6avScEXztxBhMWxX+aeqfi9I6FKlWhIfCkbaauNAP/v3NX5ldhMGJxQTW7c lAr6JRKdSNv4njIC0HnGhLIipHABUlimYhz6AHL6ewMlebqrNY8jlJrx6yc27JMw P8Wu6zSWsXNIPWzAHgY9mJGWJtaLelhw+suVcNNjUngTc63W5GY= =yjPT -----END PGP SIGNATURE-----