OpenSource Security Ralf Spenneberg Am Bahnhof 3-5 48565 Steinfurt info@xxxxxxxx OS-S Security Advisory 2017-02 Date: April 4th, 2017 Authors: Simon Heming, Maik Brüggemann, Hendrik Schwartke, Ralf Spenneberg CVE: not yet assigned CVSS: 10 Affected Device: Schneider SoMachine Basic 1.4 SP1, Schneider Modicon TM221CE16R, Firmware 1.3.3.3 Title: The password for the project protection of the Schneider Modicon TM221CE16R is hard-coded and cannot be changed. Severity: Critical. The protection of the application is not existant. Ease of Exploitation: Trivial Vulnerability type: Information Disclosure Vendor contacted: December 23rd, 2016 Abstract The Project Protection is used to prevent unauthorized users from opening the protected project file by prompting the user for a password. The XML file is AES-CBC encrypted, however the key used for encryption is hard coded and cannot be changed. The key used for encryption is: “SoMachineBasicSoMachineBasicSoMa”. After decrypting the XML file with the standard password the user password can be found in the decrypted data. After reading the user password the project can be opened and modified with SoMachine Basic. Vendor Contacted We contacted the vendor. Apart from the first acknowledgement of the receipt of the report we did not receive any further information. PDF: https://www.os-s.net/advisories/OSS-2017-02.pdf -- OpenSource Training Ralf Spenneberg http://www.os-t.de Am Bahnhof 3-5 48565 Steinfurt Germany Fon: +49(0)2552 638 755 Fax: +49(0)2552 638 757
