Lucene search

[email protected]CVE-2022-24041

HistoryMay 10, 2022 - 11:15 a.m.

CVE-2022-24041

2022-05-1011:15:08

CWE-916

[email protected]

web.nvd.nist.gov

vulnerability

desigo dxr2

desigo pxc3

desigo pxc4

desigo pxc5

offline cracking

plaintext passwords

nvd

cve-2022-24041

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

24.0%

JSON

A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The web application stores the PBKDF2 derived key of users passwords with a low iteration count. An attacker with user profile access privilege can retrieve the stored password hashes of other accounts and then successfully perform an offline cracking attack and recover the plaintext passwords of other users.

Affected configurations

NVD

Node

siemensdesigo_pxc5_firmwareRange<02.20.142.10-10884

AND

siemensdesigo_pxc5Match-

Node

siemensdesigo_pxc4_firmwareRange<02.20.142.10-10884

AND

siemensdesigo_pxc4Match-

Node

siemensdesigo_pxc3_firmwareRange<01.21.142.4-18

AND

siemensdesigo_pxc3Match-

Node

siemensdesigo_dxr2_firmwareRange<01.21.142.5-22

AND

siemensdesigo_dxr2Match-

CPENameOperatorVersion
siemens:desigo_pxc5_firmwaresiemens desigo pxc5 firmwarelt02.20.142.10-10884

CPE	Name	Operator	Version
siemens:desigo_pxc5_firmware	siemens desigo pxc5 firmware	lt	02.20.142.10-10884

CNA Affected

[
  {
    "product": "Desigo DXR2",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V01.21.142.5-22"
      }
    ]
  },
  {
    "product": "Desigo PXC3",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V01.21.142.4-18"
      }
    ]
  },
  {
    "product": "Desigo PXC4",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V02.20.142.10-10884"
      }
    ]
  },
  {
    "product": "Desigo PXC5",
    "vendor": "Siemens",
    "versions": [
      {
        "status": "affected",
        "version": "All versions < V02.20.142.10-10884"
      }
    ]
  }
]

References

cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf

Social References

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

24.0%

JSON

Related for CVE-2022-24041

nvd1 nessus1 prion1 cvelist1 ics1