PT-2022-3434 · Siemens · Desigo Pxc3+3
Published
2022-05-10
·
Updated
2022-10-06
·
CVE-2022-24041
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:L/Au:S/C:C/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Desigo DXR2 versions prior to V01.21.142.5-22
Desigo PXC3 versions prior to V01.21.142.4-18
Desigo PXC4 versions prior to V02.20.142.10-10884
Desigo PXC5 versions prior to V02.20.142.10-10884
Description
A vulnerability has been identified in the web application of Desigo devices, where the PBKDF2 derived key of users' passwords is stored with a low iteration count. This allows an attacker with user profile access privilege to retrieve the stored password hashes of other accounts and then successfully perform an offline cracking attack to recover the plaintext passwords of other users.
Recommendations
For Desigo DXR2 versions prior to V01.21.142.5-22, update to version V01.21.142.5-22 or later.
For Desigo PXC3 versions prior to V01.21.142.4-18, update to version V01.21.142.4-18 or later.
For Desigo PXC4 versions prior to V02.20.142.10-10884, update to version V02.20.142.10-10884 or later.
For Desigo PXC5 versions prior to V02.20.142.10-10884, update to version V02.20.142.10-10884 or later.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Desigo Dxr2
Desigo Pxc3
Desigo Pxc4
Desigo Pxc5