SEC Consult SA-20260617-0 :: Multiple Critical Vulnerabilities in Sprecher Automation SPRECON-E-C/-E-P/-E-T3

2026-6-21 03:51:27 Author: seclists.org(查看原文) 阅读量:8 收藏

SEC Consult Vulnerability Lab Security Advisory < 20260617-0 >
=======================================================================
              title: Multiple Critical Vulnerabilities
            product: Sprecher Automation SPRECON-E-C/-E-P/-E-T3
 vulnerable version: See vulnerable versions below
      fixed version: See solution section below
         CVE number: CVE-2022-4333, CVE-2022-4332, CVE-2025-41741,
                     CVE-2025-41742, CVE-2025-41743, CVE-2025-41744
             impact: critical
           homepage:https://www.sprecher-automation.com/
              found: 2022-08-26
                 by: Steffen Robertz
                     Christian Hager (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult, an Atos business
                     Europe | Asia

                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"Sprecher Automation provides products and solutions for power supply
and process automation. We secure critical infrastructures and optimise
complex energy and industry processes. [...]
Quality, availability and security – those are not only our customers's
requirements, but also goals we are striving for. Due to that, for example,
the hard- and software development are located in Austria and Germany.
We produce exclusively in Austria – starting with the production of
single elements, to system checks and practical inhouse testing."

Source:https://www.sprecher-automation.com/en/company

Business recommendation:
------------------------
The vendor provides updated versions as well as workaround information in
their security advisories. Users should verify whether the patches are
installed already, otherwise patch immediately.

SEC Consult highly recommends to perform a thorough security review of
the product conducted by security professionals to identify and resolve
potential further security issues.

Vulnerability overview/description:
-----------------------------------
1) Leak of Firmware Signing Private Key (CVE-2025-41741)
Sprecher signs its firmware update files to prevent an attacker from
loading manipulated update files. However, each PLC contains the
globally valid private signing key, as it is also used to sign backups.
An attacker, who obtains the key is able to ship validly signed,
modified firmware updates.

The security vulnerability has been resolved in firmware version 9 and
above. Further details can be found in the advisory of the vendor. In
previous versions the affected feature can be deactivated by the customer.
The stated key can only be used in conjunction with the backup feature.
Affected products: SPRECON-E-C/-E-P/-E CPU Modul

2) Missing Secure-Boot Mechanism (CVE-2022-4332)
The PLC is able to detect secure boot violations correctly. However,
the events are not handled properly. They only output a warning to the
boot log, but do not prevent the device's operation. Thus, anybody with
physical access to the device can modify the firmware and potentially
include backdoors.

The security vulnerability has been resolved in firmware version 8.71a and
above, as well as 8.64m. Further details can be found in the advisory
of the vendor. In current and previous versions the affected feature can be
deactivated by the customer.
Affected products: SPRECON-E-C/-E-P/-E

3) Unencrypted External Flash Memory (CVE-2022-4332)
The external flash memory can be dumped using tools such as the Xgecu
T56. This allows an attacker with physical access to read all files and
thus gain knowledge about sensitive files such as passwords and private
keys.

The security vulnerability has been resolved in firmware version 9 and above.
Further details can be found in the advisory of the vendor. In current and
previous versions the affected feature can be deactivated by the customer.
Affected products: SPRECON-E-C/-E-P/-E-T3

4) Usage of static passwords (CVE-2025-41742)
Various static passwords / key material can be discovered in the firmware.
They serve  different use cases, such as hard-coded user accounts, as well as
encryption for settings and configuration files. This allows an attacker
to decrypt configuration files, modify them and properly encrypt them
again.

According to the vendor, the documented static identity string does not serve
a security purpose in the system and is used as an identifier for maintenance.
Using the default identifier can lead to the targeted system being misidentified
during maintenance.
Affected products: SPRECON-E-C/-E-P/-E-T3

5) Hard-coded Vendor Accounts (CVE-2022-4333)
Two hard-coded vendor accounts were revealed in the devices. These
accounts are shipped with every update file and can be used by the
vendor e.g. for support access.

These documented accounts can be activated or deactivated in the configuration.
These accounts are additionally secured with 2FA in firmware version 8.71g.
Affected products: SPRECON-E-C/-E-P/-E-T3

6) Decrypt Firmware Update Files (CVE-2025-41743)
Firmware update files include hard-coded accounts from vulnerability 5 and
can be decrypted using an XOR algorithm and a static password. This
allows an attacker to further analyze PLC components as well as gaining
knowledge of private keys and hard-coded accounts without requiring
physical access to any device.

The signature and encryption mechanism have been modified and the security
vulnerability has been resolved in version 8.71 and above. Further details
can be found in the advisory of the vendor.
Affected products: SPRECON-E-C/-E-P/-E-T3

7) Insecure Transport Encryption (CVE-2025-41744)
The PLC's webserver and the connection to the Sprecher Engineering Center
software use the same static default key on all devices. An attacker who gains
access to the private key via vulnerability 3 or 6 can thus decrypt all
traffic in a man-in-the-middle position. Thus, an attacker would be
able to change configurations and read connection passwords.

According to the vendor, those certificates are only used during initial
commissioning and users can find further information to change the certificates
in the documentation/guideline "SPRECON Grundhärtung" (basic hardening).
The vendor's hardening guide makes it clear that it is both possible and
recommended to change the default certificate.
Documentation: 94.2.913.50en SPRECON Basic Hardening

Proof of concept:
-----------------
1) Leak of Firmware Signing Private Key (CVE-2025-41741)
Backups are restored by the same command flow as regular update files.
Thus, backups need to be validly signed as well. For this, Sprecher's
private key is required. The following openssl command signs the
created backup:

```
openssl dgst -sha256 -sign ${SSM_CERT}/.backup.key -passinfile:${SSM_CERT}/.pass -out
${SSM_SECURE_DIR}/image.sha256 ${SSM_SECURE_DIR}/image.zip 2>/dev/null
```

The private key and password are both stored in the same filesystem and
can be obtained via the decrypted firmware update file (vulnerability 6)
or the unencrypted flash memory (vulnerability 3).

2) Missing Secure-Boot Mechanism (CVE-2022-4332)
The main SoC of the SPRECON E-C-94 is an i.MX6. The board does not fully
enable High-Assurance Boot (HAB). Thus, the firmware and bootloader can
be modified. The modification is detected, however, since secure boot is
not fully enabled, the violation will not be handled. The following boot
log  can be seen on the device's service connector (X6). The first
bootline was manipulated to include the string "SECTEST".

```
REL_UBOOT_SECTEST_2015_07_RC7 SPL (Mar 11 2022 - 10:55:26)
Booting from SPI
Image Entry Point: 0x17800000
Image Load Address: 0x177FFFC0
Image Size: 0x48000
Authenticate image from DDR location 0x177fffc0...
Authenticated Image Size = 0x46000
Load Addr = 0x17800000
HAB not enabled
U-Boot Authentication Successful
[...]
Authenticate image from DDR location 0x12000000...
Authenticated Image Size = 0x7bc000
HAB not enabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
[...]
zImage Authentication Successful
```

3) Unencrypted External Flash Memory (CVE-2022-4332)
The main memory is a BGA153 eMMC flash memory. Thus, it can be read by
multiple tools such as the Xgecu T56. By dumping its contents, an
attacker can extract password hashes from the `/etc/passwd` or
`/etc/shadow` file and gain access to the private key from
vulnerability 1.

4) Usage of static passwords (CVE-2025-41742)
    4.1) Static Passwords in Sprecher Engineering Studio
                 Two different passwords can be used to call an internal function.
         This can be seen in following code snippet:

                 ```
                 iVar3 = _strcmp(local_28,"**redacted**");
                 if (((iVar3 == 0) || (iVar3 = _strcmp(local_28,"**redacted**"), iVar3 == 0)) ||(iVar3 = 
_strcmp(local_28,"**redacted**"), iVar3 == 0)) {
                        FUN_10001780(local_28,0x20,"XXX");
                 }
                 ```

                 Unfortunately, we were not able to fully determine the use case of
         these credentials.

        4.2) Static Passwords in Sprecher Engineering Studio Configuration files
                 When exporting configurations from the Engineering Studio, a .sprXecz
                 file will be created. It is encrypted using a static password.

        4.3) Webserver Settings Export
                 The webserver exports its settings as .jzp file. However, this
                 is just a renamed .zip file which uses a static password.

        4.4) OpenVPN and IPSEC Settings Export/Import
                 OpenVPN profiles and IPSEC settings are exported/imported as
                 zip files. They are encrypted with a static password.

5) Hard-coded Vendor Accounts (CVE-2022-4333)
The `/etc/passwd` file and `/etc/shadow` file reveal hard-coded password
hashes for the "sprecon" and "spradm" accounts. These accounts are shipped
with the update files (tested with official downloadable version 8.71) and
there seems to be no option for deleting or changing their passwords.

The usability of the accounts is configurable via the configuration.
Details to deactivate the accounts are included in the hardening guidelines.

6) Decrypt Firmware Update Files (CVE-2025-41743)
SPRECON firmware update files are encrypted. However, they use XOR magic
and static passwords as encryption method. Due to limited time, we did
not reverse engineer the XOR algorithm and instead ran the decoding
binaries using QEMU. First, the fwimaker binary was run to create a
regular zip file from the XORed .fwi file by running the following
command:

```
qemu-arm -L /usr/arm-linux-gnueabihf ./fwimaker x sce_P9pu244_sc_864l_crypt.fwi extracted.zip
```

Afterwards the ZIP file can be decompressed and decrypted.
An attacker is now able to read the static password hashes and
further analyze components of the PLC.

According to the vendor, manipulated firmware update files cannot be
flashed anymore, due to the usage of firmware signing.

7) Insecure Transport Encryption (CVE-2025-41744)
The file `/etc/rbac/default.pem` contains a private key which is used
for the HTTPS encryption of the webserver. Further, the same key is used
to encrypt the communication with the Sprecher Engineering Studio.
An attacker can use vulnerability 3 or 6 to obtain the private key
and can then decrypt communication in a man-in-the-middle position.
The certificate has following fingerprint:

```
E9:AF:F4:F1:90:83:3C:5B:0B:E2:DF:E1:DF:31:69:B5:C1:EC:90:52
```

One device using the same certificate was discovered on the internet.

According to the vendor, those certificates are only used during initial
commissioning and users can find further information to change the certificates
in the documentation/guideline "SPRECON Grundhärtung" (basic hardening).
The vendor's hardening guide makes it clear that it is both possible and
recommended to change the default certificate of the vendor.

Vulnerable / tested versions:
-----------------------------
The following firmware version & product has been tested where the vulnerabilites
have been identified:
* Leittechnik Firmware: 8.6.4i on SPRECON E-C-94

According to the vendor, the following products and firmware versions are affected:
Issue 1 - CVE-2025-41741) SPRECON-E-C/-E-P/-E CPU Module Version Amsel - PU245 and Falcon - PU244 in firmware version < 
v9.0
Issue 2 & 3 - CVE-2022-4332) SPRECON-E-C/-E-P/-E-T3 (variant PU244x), SPRECON-V460 - firmware <v8.71a (except 8.64m)
Issue 4 - CVE-2025-41742) SPRECON-E-C/-E-P/-E-T3
Issue 5 - CVE-2022-4333) SPRECON-E-C/-E-P/-E-T3 (variants PU243x, PU244x, MC33/34, SPRECON-EDIR), SPRECON-V460
Issue 6 - CVE-2025-41743) SPRECON-E-C/-E-P/-E-T3 in firmware versions <v9.0
Issue 7 - CVE-2025-41744) SPRECON-E-C/-E-P/-E-T3

Vendor contact timeline:
------------------------
Our vulnerabilities were identified in August 2022 where a third party directly
submitted the vulnerabilities to the vendor. We took over the coordination
in November 2023 again also because a vulnerability verification/recheck was
planned.

2023-11-23: Contacting vendor through SPRECON contact form on website
            (https://www.sprecher-automation.com/anfrage-sprecon)
2023-11-24: Vendor responds that vulnerabilities have not been assigned to separate
            advisories. The vulnerabilities have not yet been fixed as a new
            security subsystem needs to be implemented. First fixes are scheduled
            for end of Q1/2024 but maintenance releases have been rolled out
            to migitate some issues. A full fix is planned for the major product
            version and afterwards CVEs and details will be published in accordance
            with E-CERT and BSI.
2024-10-30: Requesting status update of responsible disclosure.
2024-10-31: Sprecher did not yet receive the results of the recheck. Sprecher will
            clarify the internal state of the responsible disclosure process.
            Our contact person is not directly working at Sprecher anymore but as a
            contractor.
2024-12-05: Requesting status update again and a contact at Sprecher.
2024-12-09: No firmware updates for all devices yet. No specific timeline yet,
            estimated for Q1 2025.
2025-02-10: Requested status update.
2025-03-18: Requested update as the current state of patches is unclear, informing
            vendor that our contact person has changed as well. No response.
2025-05-19: Requested status update. No response.
2025-07-10: Requested update.
2025-07-14: Sprecher responds that the security contact for our advisory changed and
            we should contact another person (who was in CC all the communication
            attempts before).
2025-07-16: Sprecher wants to schedule a short meeting to discuss the current status.
2025-07-18: Exchanging several date suggestions for the meeting.
2025-08-20: Meeting with Sprecher and providing the current state of the advisory.
2025-09-22: Submitting another (different) security advisory to Sprecher.
2025-09-23: Meeting with Sprecher regarding the current state of the vulnerabilities.
            Scheduling follow-up meeting for 7th October.
2025-10-07: Sprecher cancelled planned meeting on short notice. Our CNA shortly phoned
            with Sprecher. Setup a new meeting and communicated that a normal responsible
            disclosure timeline is 3 months.
2025-10-13: Meeting with Sprecher and our CNA and agreeing on a mutual timeline
            regarding the advisory release. Sprecher will give feedback regarding CVE
            assignment, provided CVE-2022-4332 and CVE-2022-4333. Vendor will provide
            information regarding vulnerability 4 until 2025-10-17.
            SEC Consult removes sensitive information from advisory and that manipulated
            images cannot be exploited (issue 6) and that the vendor recommends changing
            certificates (issue 7).
            The vendor blog post will be released on 24th October and our publication is
            then planned for 27th October.
            Sending the current state of the advisory again.
2025-10-15: Asking whether Sprecher received our encrypted email, asking for confirmation.
            No response from the vendor.
2025-10-17: Preparing the release of the advisory.
            Sending the final draft of the advisory to Sprecher with a target
            release date on the 2025-10-27.
            Contacting CERT@VDE regarding CVE-2022-4332 + CVE-2022-4333.
2025-10-20: Vendor responds that our draft advisory is incorrect, contains already
            published (from their side) CVEs and requests further coordination for
            responsible disclosure.
2025-10-21: Contacting CERT@VDE regarding potential support.
2025-10-22: CERT@VDE cannot support our case as Sprecher is not a partner.
2025-10-23: Adjusted timeline again and submitted draft advisory to Sprecher. Asking
            for a meeting.
2025-11-05: Meeting with vendor, discussing vulnerabilities & next steps, vendor will
            provide further information as well as feedback to our advisory.
2025-11-05: Vendor provides CVE numbers and links to their advisories.
2025-11-06: Adjusting advisory with feedback of vendor and CVE numbers etc., submitting
            latest draft version to vendor again.
2025-11-19: Asking the vendor for a status update & feedback.
2025-12-02: Vendor responds with adjusted advisory feedback.
2025-12-15: Informing vendor about internal delays on our side regarding publication.
2026-06-11: Sending adjusted advisory to vendor & proposed publication date (17th June).
2026-06-17: Public release of security advisory.

Solution:
---------
The vendor provides relevant updates and/or workarounds for the specific issues
in their own advisories:

(PDFs in German)

Full Disclosure mailing list archives

Current thread: