PT-2016-7670 · Siemens · Desigo Px+1
Joshua Fried
+2
·
Published
2016-12-23
·
Updated
2019-10-09
·
CVE-2016-9154
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Siemens Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 for Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D versions prior to V6.00.046
Siemens Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 for Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U versions prior to V6.00.046
Description
The issue is related to the use of a pseudo random number generator with insufficient entropy to generate certificates for HTTPS. This could potentially allow remote attackers to reconstruct the corresponding private key.
Recommendations
For versions prior to V6.00.046, update the firmware to version V6.00.046 or later to address the issue.
As a temporary workaround, consider restricting access to the HTTPS interface until the update is applied.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Desigo Px
Desigo Px Web