CVE-2019-13927

Name of the Vulnerable Software and Affected Versions Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D with Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 versions prior to V6.00.320 Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U with Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 versions prior to V6.00.320 Desigo PX automation controllers PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D with activated web server versions prior to V6.00.320

Description The device contains a vulnerability that could allow an attacker to cause a denial of service condition on the device's web server by sending a specially crafted HTTP message to the web server port (tcp/80). The security issue is related to incorrect input verification by the PX Web service. Successful exploitation requires no system privileges and no user interaction, allowing an attacker with network access to compromise the availability of the device's web service. While the device itself stays operational, the web server responds with HTTP status code 404 (Not found) to any further request. A reboot is required to recover the web interface.

Recommendations For Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D with Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 versions prior to V6.00.320: Update to version V6.00.320 or later to resolve the issue. For Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U with Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 versions prior to V6.00.320: Update to version V6.00.320 or later to resolve the issue. For Desigo PX automation controllers PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D with activated web server versions prior to V6.00.320: Update to version V6.00.320 or later to resolve the issue. As a temporary workaround, consider restricting access to the web server port (tcp/80) to minimize the risk of exploitation.