CVE-2019-6584 in LOGO!8
Summary
by MITRE
A vulnerability has been identified in SIEMENS LOGO!8 (6ED1052-xyyxx-0BA8 FS:01 to FS:06 / Firmware version V1.80.xx and V1.81.xx), SIEMENS LOGO!8 (6ED1052-xyy08-0BA0 FS:01 / Firmware version < V1.82.02). The integrated webserver does not invalidate the Session ID upon user logout. An attacker that successfully extracted a valid Session ID is able to use it even after the user logs out. The security vulnerability could be exploited by an attacker in a privileged network position who is able to read the communication between the affected device and the user or by an attacker who is able to obtain valid Session IDs through other means. The user must invoke a session to the affected device. At the time of advisory publication no public exploitation of this security vulnerability was known.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/05/2023
The vulnerability identified as CVE-2019-6584 affects Siemens LOGO!8 series industrial control devices, specifically those running firmware versions V1.80.xx through V1.81.xx and V1.82.01 and earlier. This security flaw resides within the integrated web server component of these industrial automation devices, which are commonly deployed in manufacturing and industrial environments for process control and monitoring. The affected devices operate with firmware versions that include the specific filesystem versions FS:01 through FS:06 and FS:01 for the 6ED1052-xyy08-0BA0 model, representing a significant portion of deployed industrial control systems in various operational technology environments.
The core technical flaw involves improper session management within the web server implementation where session identifiers are not properly invalidated upon user logout operations. This represents a classic session management vulnerability that falls under CWE-613, which specifically addresses "Insufficient Session Expiration" in software security implementations. When a user logs out of the device's web interface, the system fails to invalidate the active session identifier, allowing an attacker who has obtained a valid session token to continue using it for unauthorized access. This weakness creates a persistent access vector that undermines the fundamental security principle of session termination and privilege revocation.
The operational impact of this vulnerability is particularly concerning for industrial environments where these devices operate. An attacker positioned within the privileged network segment can intercept network communications between the device and users to capture valid session IDs, or alternatively obtain these tokens through other means such as compromised credentials or system vulnerabilities. The vulnerability requires that a user first establish an active session with the device, but once obtained, the session remains valid indefinitely despite logout operations. This creates a persistent backdoor that could allow attackers to maintain access to industrial control systems without detection, potentially leading to unauthorized modifications of control parameters, disruption of operations, or even physical safety hazards in critical infrastructure environments. The vulnerability is particularly dangerous because it operates at the application layer of the industrial control system, potentially affecting the integrity and availability of critical processes.
The security implications extend beyond simple unauthorized access to encompass potential compromise of industrial control systems that manage critical infrastructure operations. This vulnerability aligns with ATT&CK technique T1566, which covers credential harvesting through various means including network sniffing and session hijacking, and T1078, which addresses valid accounts usage. Organizations deploying Siemens LOGO!8 devices should implement immediate mitigations including firmware updates to versions that address the session management flaw, network segmentation to limit access to these devices, and monitoring for suspicious session activity. Additionally, network administrators should implement network traffic analysis to detect potential session hijacking attempts and ensure that only authorized personnel have access to these industrial control systems. The vulnerability demonstrates the critical importance of proper session management in industrial control systems where security breaches can have far-reaching consequences beyond simple data compromise.