CVE-2019-6584

Name of the Vulnerable Software and Affected Versions SIEMENS LOGO!8 versions 6ED1052-xyyxx-0BA8 FS:01 to FS:06 / Firmware version V1.80.xx and V1.81.xx SIEMENS LOGO!8 version 6ED1052-xyy08-0BA0 FS:01 / Firmware version prior to V1.82.02

Description A security issue has been identified where the integrated webserver does not invalidate the Session ID upon user logout. This allows an attacker who has successfully extracted a valid Session ID to use it even after the user logs out. The issue could be exploited by an attacker in a privileged network position who can read the communication between the affected device and the user, or by an attacker who can obtain valid Session IDs through other means. The user must invoke a session to the affected device. At the time of advisory publication, no public exploitation of this security issue was known.

Recommendations For SIEMENS LOGO!8 versions 6ED1052-xyyxx-0BA8 FS:01 to FS:06 / Firmware version V1.80.xx and V1.81.xx, update to a version that includes the fix for this issue. For SIEMENS LOGO!8 version 6ED1052-xyy08-0BA0 FS:01 / Firmware version prior to V1.82.02, update to Firmware version V1.82.02 or later. As a temporary workaround, consider restricting access to the device and its web interface to minimize the risk of exploitation.