PT-2022-3425 · Siemens · Desigo Pxc3+3
Published
2022-05-10
·
Updated
2022-10-06
·
CVE-2022-24042
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Desigo DXR2 versions prior to V01.21.142.5-22
Desigo PXC3 versions prior to V01.21.142.4-18
Desigo PXC4 versions prior to V02.20.142.10-10884
Desigo PXC5 versions prior to V02.20.142.10-10884
Description
A vulnerability has been identified in the AuthToken component of the Desigo DXR2, PXC3, PXC4, and PXC5 station automation modules. The issue is related to the incorrect expiration of session tokens. An attacker could capture this token and re-use old session credentials or session IDs for authorization. The web application returns an AuthToken that does not expire at the defined auto logoff delay timeout.
Recommendations
For Desigo DXR2 versions prior to V01.21.142.5-22, update to version V01.21.142.5-22 or later.
For Desigo PXC3 versions prior to V01.21.142.4-18, update to version V01.21.142.4-18 or later.
For Desigo PXC4 versions prior to V02.20.142.10-10884, update to version V02.20.142.10-10884 or later.
For Desigo PXC5 versions prior to V02.20.142.10-10884, update to version V02.20.142.10-10884 or later.
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Desigo Dxr2
Desigo Pxc3
Desigo Pxc4
Desigo Pxc5