-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-010 Product: easySoft; easyE4-DC-12TC1 PLC Manufacturer: Eaton Industries GmbH Affected Version(s): HW: 01; BOOT: 1.00 B 1; OS 1.41 B 628 / OS 1.41 B 632; easySoft V8.00 Build 3130 Tested Version(s): HW: 01; BOOT: 1.00 B 1; OS 1.41 B 628 / OS 1.41 B 632; easySoft V8.00 Build 3130 Vulnerability Type: Weak Encoding for Password (CWE-261) Risk Level: Low Solution Status: Open Manufacturer Notification: 2023-03-31 Solution Date: - Public Disclosure: 2023-10-19 CVE Reference: - Author of Advisory: Manuel Stotz, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The easyE4 is a programmable logic controller which can be used, for example, in home automation. The manufacturer describes the product as follows (see [1]): "The easyE4 PLC has 12 I/O and can be expanded to a network of up to 188 I/O points, providing the ideal solution for lighting, energy management, industrial control, irrigation, pump control, HVAC and home automation. In whatever your application, the compact and flexible easyE4 enables control systems that are efficient and effortless to implement. After the easyE4 is installed, changes are easily accomplished through front panel programming, which eliminates the need to change wiring and minimizes downtime. Gain effortless control with the easyE4." Due to implementation issues, it is possible to extract the encoded password and rapidly generate corresponding valid cleartext password candidates. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Eaton's easyE4 PLC offers a password-based protection to lock access to various areas such as access to the Ethernet interface of the device. When a connection to the easyE4 is established via the easySoft, the password is requested from the user, encoded and interleaved with a time-based value, and then transferred to the easyE4. If the password is lost or unknown, it is possible to unlock the protected easyE4 device, but the saved program and all function relay parameters will be lost. However, during a security analysis of the communication between the easySoft and easyE4, Manuel Stotz found out that it is possible to extract the encoded password and generate corresponding valid cleartext password candidates. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): For demonstrating the described security issue, Manuel Stotz developed a proof-of-concept software tool[4] which allows retrieving the encoded password from a network traffic capture file and generating suitable password candidates for it. > easy_password_recovery.py PCAP syss_network_pw_111111.pcapng easy/easySoft password recovery tool by Manuel Stotz, SySS GmbH [*] Start password recovery [*] Found password candidate for encoded password 0x7022c848040ac202/0xe22483f6: 111111 [*] Found password candidate for encoded password 0x7022c848040ac202/0xe22483f6: Q3YVP5 [*] Found password candidate for encoded password 0x7022c848040ac202/0xe22483f6: ZCAAQS [*] Bye! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is not aware of a solution for the described security issue. According to Eaton, the problem is no longer present in newer versions (hardware version 08; firmware version 2.00; easySoft version 8.00). Eaton is working on issuing an end-of-life notification for older versions of EasyE4 in the near future. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-03-31: Vulnerability reported to manufacturer (no response) 2023-04-12: Vulnerability reported to manufacturer again (no response) 2023-05-02: Vulnerability reported to manufacturer again (no response) 2023-06-16: Vulnerability reported to manufacturer again (immediate response / request for details) 2023-06-30: Response: The problem has already been fixed by the manufacturer for newer versions 2023-10-19: Public release of security advisory 2023-11-07: Public release of PoC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for easyE4 nano programmable logic controllers https://www.eaton.com/us/en-us/catalog/machinery-controls/easye4.html [2] SySS Security Advisory SYSS-2023-010 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-010.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Proof of Concept (PoC) https://github.com/SySS-Research/easy-password-recovery ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Manuel Stotz of SySS GmbH. E-Mail: manuel.stotz (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc Key Fingerprint: F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE8FFbdH5wGT5/ZgEz55D2irzmjG0FAmVeD3EACgkQ55D2irzm jG2nog/+LpM0hAY16RU43JhTblUEAq8xvYOvWFUqTtr+iLF4rYivcRPtFRb7sswo 5DGGB5inS/fVsavz+jk/of296g0vLslum8S26hM2eBbKM3JDoHnoZTVy5DC32/+b 5QdHG3ymQKzBGCNnb324K4uY5g8048StC7iaxyWmvqGwNlAuNFc5FFEsdjyVcl0z 7Qky4p9xXjQghiHPmDdEjVxeGgwbTfOQ8W0a1I0CgBcPVcXXS3UCNDccGkFZ7RLw hUdOGqFELWC60yvJTKJItxOsYGooFmI9LYYF5M/QhgxP2zFzhJwKQgZkWMHswwCG H1QyHp2lG8qguSMMLYBNR294mJTZQWVQKXSeV0FP5YbRSLR41N0Sw/mlX1XN/wHd XGJtRPtnGk/CT1M68GcgRYKf1n9XQ+u08U7o41Vr2VVEABlPOs1I46nzzfGpZro2 j89hWFhybGTBWqrJj+F7qq3lep8fvbE8zfGG1Yep0KdQ7gE0aOR7UFT6QcH+3Zwn NBP7Fv/BuMjX1Ts+gvGQicP+bBEO3e4MOZf3SP9e1gZUFXG+YstOvwgYl4jOkp1K dWBWFte7QW7Y+/w9matj+Na2mcp73tJoI7fWEsFFY6Z/2804I3my1lcsQNgXwFoB gFMAoQ4SkRnCHMA6MRh6gz68ZjOdK/WFg5sTj5wyti5xCl1bY/s= =vrUt -----END PGP SIGNATURE-----