Siemens Desigo PX Web Module Insufficient Entropy Vulnerability
Monitor5.9ICS-CERT ICSA-16-355-01Sep 23, 2016
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
The Desigo PX Web module (all firmware versions before v6.00.046) uses insufficient entropy when generating session tokens or cryptographic keys. This weakness allows an attacker with network access to predict or brute-force valid authentication tokens without valid user credentials, potentially gaining unauthorized access to the building automation controller's web interface. The vulnerability affects multiple Desigo PX controller models with Web modules, allowing remote access to configuration and operational functions. No patch is available; the affected firmware versions have reached end-of-support status.
What this means
What could happen
An attacker with network access to the Desigo PX Web module could decrypt or forge encrypted session tokens due to weak entropy in the random number generator, potentially allowing unauthorized access to building automation functions and configuration data.
Who's at risk
Building automation operators managing Siemens Desigo PX controllers (PXC00, PXC50, PXC64, PXC100, PXC128, PXC200 series) with Web modules (PXA30-W0/W1/W2 or PXA40-W0/W1/W2 variants). This affects HVAC, lighting, occupancy control, and energy management systems in facilities such as office buildings, schools, hospitals, and municipal buildings.
How it could be exploited
An attacker on the network sends HTTP requests to the Desigo PX Web module's authentication mechanism. Because the module uses insufficient entropy when generating session tokens or encryption keys, the attacker can predict or brute-force valid tokens and impersonate legitimate users or administrators without valid credentials.
Prerequisites
- Network connectivity to the Desigo PX controller's HTTP/HTTPS port (typically 80/443)
- No valid user credentials required
- Access from network segment where the controller is reachable
remotely exploitableno authentication requiredlow complexityno patch availableaffects building automation and control systems
Exploitability
Moderate exploit probability (EPSS 1.2%)
Affected products (21)
21 EOL
ProductAffected VersionsFix Status
Desigo PX Web module PXA40-W0 firmware for Desigo PX automation controllers PXC50-E.D: <V6.00.046<V6.00.046No fix (EOL)
Desigo PX Web module PXA30-W2 firmware for Desigo PX automation controllers PXC00-U: <V6.00.046<V6.00.046No fix (EOL)
Desigo PX Web module PXA30-W2 firmware for Desigo PX automation controllers PXC64-U: <V6.00.046<V6.00.046No fix (EOL)
Desigo PX Web module PXA30-W2 firmware for Desigo PX automation controllers PXC128-U: <V6.00.046<V6.00.046No fix (EOL)
Desigo PX Web module PXA40-W0 firmware for Desigo PX automation controllers PXC100-E.D: <V6.00.046<V6.00.046No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGIsolate affected Desigo PX controllers on a dedicated VLAN or air-gapped network segment to restrict network access from untrusted sources
WORKAROUNDImplement network-level access controls (firewall rules) to limit HTTP/HTTPS traffic to the Desigo PX Web module to only authorized engineering workstations and management systems
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
WORKAROUNDDisable the Web module feature if remote web access is not required for your building automation operations
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Desigo PX Web module PXA40-W0 firmware for Desigo PX automation controllers PXC50-E.D: <V6.00.046, Desigo PX Web module PXA30-W2 firmware for Desigo PX automation controllers PXC00-U: <V6.00.046, Desigo PX Web module PXA30-W2 firmware for Desigo PX automation controllers PXC64-U: <V6.00.046, Desigo PX Web module PXA30-W2 firmware for Desigo PX automation controllers PXC128-U: <V6.00.046, Desigo PX Web module PXA40-W0 firmware for Desigo PX automation controllers PXC100-E.D: <V6.00.046, Desigo PX Web module PXA40-W0 firmware for Desigo PX automation controllers PXC200-E.D: <V6.00.046, Desigo PX Web module PXA40-W1 firmware for Desigo PX automation controllers PXC00-E.D: <V6.00.046, Desigo PX Web module PXA40-W1 firmware for Desigo PX automation controllers PXC50-E.D: <V6.00.046, Desigo PX Web module PXA40-W1 firmware for Desigo PX automation controllers PXC100-E.D: <V6.00.046, Desigo PX Web module PXA40-W1 firmware for Desigo PX automation controllers PXC200-E.D: <V6.00.046, Desigo PX Web module PXA40-W2 firmware for Desigo PX automation controllers PXC00-E.D: <V6.00.046, Desigo PX Web module PXA40-W2 firmware for Desigo PX automation controllers PXC50-E.D: <V6.00.046, Desigo PX Web module PXA40-W2 firmware for Desigo PX automation controllers PXC100-E.D: <V6.00.046, Desigo PX Web module PXA30-W0 firmware for Desigo PX automation controllers PXC00-U: <V6.00.046, Desigo PX Web module PXA30-W0 firmware for Desigo PX automation controllers PXC64-U: <V6.00.046, Desigo PX Web module PXA30-W0 firmware for Desigo PX automation controllers PXC128-U: <V6.00.046, Desigo PX Web module PXA30-W1 firmware for Desigo PX automation controllers PXC00-U: <V6.00.046, Desigo PX Web module PXA30-W1 firmware for Desigo PX automation controllers PXC64-U: <V6.00.046, Desigo PX Web module PXA30-W1 firmware for Desigo PX automation controllers PXC128-U: <V6.00.046, Desigo PX Web module PXA40-W0 firmware for Desigo PX automation controllers PXC00-E.D: <V6.00.046, Desigo PX Web module PXA40-W2 firmware for Desigo PX automation controllers PXC200-E.D: <V6.00.046. Apply the following compensating controls:
HARDENINGMonitor access logs to the Desigo PX Web module for unusual authentication attempts or session anomalies
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ccec20d7-87d2-44e3-8cd5-8ae7dd697979