Siemens released a firmware update to mitigate an insufficient entropy vulnerability that affects its Desigo PX Web modules, according to a report with ICS-CERT.
Marcella Hastings, Joshua Fried, and Nadia Heninger from the University of Pennsylvania coordinated this remotely exploitable vulnerability directly with Siemens.
The vulnerability affects the following Desigo PX Web modules and versions:
• Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 for Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D: All firmware versions prior to V6.00.046
• Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 for Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U: All firmware versions prior to V6.00.046
A successful exploitation of this vulnerability could allow an attacker to recover private keys used for HTTPS in the integrated web server.
Siemens is a multinational company headquartered in Munich, Germany.
The affected products, Desigo PX modules, control and monitor building automation systems. Desigo PX Web modules see action in the commercial facilities sector. Siemens said these products see use on a global basis.
The affected devices use a pseudo random number generator with insufficient entropy to generate certificates for HTTPS, potentially allowing remote attackers to reconstruct the corresponding private key.
CVE-2016-9154 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.9.
No known public exploits specifically target this vulnerability. On top of that, crafting a working exploit for this vulnerability would be difficult.
Siemens provided firmware update V6.00.046 for the affected devices, which fixes the vulnerability. Siemens recommends all users operating an affected device apply the update.
Click here for the firmware updates for Desigo PX Web modules.
Until patches can end up applied, Siemens recommends the following:
• Protect network access
• Apply defense-in-depth strategies
• Restrict access to Port 443/TCP of Desigo PX-Web modules
• Disable the web server
For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-856492.