CVE-2022-24040

Name of the Vulnerable Software and Affected Versions Desigo DXR2 versions prior to V01.21.142.5-22 Desigo PXC3 versions prior to V01.21.142.4-18 Desigo PXC4 versions prior to V02.20.142.10-10884 Desigo PXC5 versions prior to V02.20.142.10-10884

Description The issue is related to an error in handling exceptions in the software of Desigo DXR2, PXC3, PXC4, and PXC5 modules. This can allow an attacker to cause a denial of service (DoS) by setting a key derived from PBKDF2, leading to high CPU consumption. The web application fails to enforce an upper bound to the cost factor of the PBKDF2 derived key during account creation or update. An attacker with user profile access privilege could exploit this by setting a PBKDF2 derived key with a high cost effort and then attempting to log in to the modified account. In a worst-case scenario, an attacker could lock out the device for several days by repeating the procedure, potentially leading to serious consequences, such as disabling a fire alarm system and amplifying the effect of an attack on other production management systems.

Recommendations For Desigo DXR2 versions prior to V01.21.142.5-22, update to version V01.21.142.5-22 or later to resolve the issue. For Desigo PXC3 versions prior to V01.21.142.4-18, update to version V01.21.142.4-18 or later to resolve the issue. For Desigo PXC4 versions prior to V02.20.142.10-10884, update to version V02.20.142.10-10884 or later to resolve the issue. For Desigo PXC5 versions prior to V02.20.142.10-10884, update to version V02.20.142.10-10884 or later to resolve the issue. As a temporary workaround, consider restricting access to the PBKDF2 key derivation function to minimize the risk of exploitation.