Multiple Webserver Vulnerabilities in Desigo PXC and DXR Devices

Act Now9SSA-626968May 10, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Desigo PXC3, PXC4, PXC5 and DXR2 devices contain multiple vulnerabilities in the webserver application. The vulnerabilities include issues with path traversal (CWE-75), denial of service (CWE-400), improper input validation (CWE-916), cleartext transmission of sensitive information (CWE-613), information exposure through timing differences (CWE-203), and weak authentication mechanisms (CWE-307, CWE-614). These could allow an attacker to intercept unencrypted sensitive information, cause a denial of service condition, or perform remote code execution.

What this means

What could happen

An attacker with network access to the webserver on these building automation controllers could run code remotely, intercept unencrypted communications containing sensitive data, or crash the device and interrupt building climate control, security system monitoring, or energy management operations.

Who's at risk

Building automation operators and facility managers running Siemens Desigo PXC3, PXC4, PXC5, or DXR2 controllers should apply firmware updates immediately. These devices control HVAC systems, lighting, access control, and energy management in commercial and institutional facilities. Any facility with network-connected Desigo controllers is potentially affected.

How it could be exploited

An attacker connects to the webserver on the exposed device (default ports 80 or 443) and exploits one of the multiple webserver vulnerabilities to either inject commands for remote code execution, craft requests that traverse the filesystem, send requests that trigger a denial of service condition, or intercept unencrypted authentication credentials transmitted over HTTP.

Prerequisites

Network access to the webserver port (HTTP/HTTPS, typically 80 or 443) on the Desigo device
Some vulnerabilities require valid user credentials or authenticated session
Device must be running a vulnerable firmware version

Remotely exploitable via network webserverMultiple attack vectors in single advisoryCritical CVSS severity (9.0)Affects building automation and safety-related systemsClear fix available from vendor

Exploitability

Moderate exploit probability (EPSS 2.1%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Desigo PXC4< V02.20.142.10-1088402.20.142.10-10884

Desigo PXC5< V02.20.142.10-1088402.20.142.10-10884

Desigo DXR2< V01.21.142.5-2201.21.142.5-22

Desigo PXC3< V01.21.142.4-1801.21.142.4-18

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGRestrict network access to the webserver ports (80, 443) on Desigo devices using firewall rules or network segmentation; only allow connections from authorized engineering workstations and management networks

WORKAROUNDDisable the webserver on Desigo devices if it is not required for normal operations

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

Desigo PXC4

HOTFIXUpdate Desigo PXC4 firmware to version 02.20.142.10-10884 or later

Desigo PXC5

HOTFIXUpdate Desigo PXC5 firmware to version 02.20.142.10-10884 or later

Desigo DXR2

HOTFIXUpdate Desigo DXR2 firmware to version 01.21.142.5-22 or later

Desigo PXC3

HOTFIXUpdate Desigo PXC3 firmware to version 01.21.142.4-18 or later

CVEs (7)

CVE-2022-24039 CVE-2022-24040 CVE-2022-24041 CVE-2022-24042 CVE-2022-24043 CVE-2022-24044 CVE-2022-24045

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/50ff3413-92d9-4d90-bbf9-7920077ef616