Siemens Desigo PX Devices External Control of Assumed-Immutable Web Parameter (CVE-2019-13927)

2023-01-2500:00:00

www.tenable.com

siemens desigo px

controllers

vulnerability

web server

denial of service

http message

firmware

network access

5.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.4%

JSON

A vulnerability has been identified in Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D with Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 (All firmware versions < V6.00.320), Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U with Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 (All firmware versions < V6.00.320), Desigo PX automation controllers PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D with activated web server (All firmware versions < V6.00.320). The device contains a vulnerability that could allow an attacker to cause a denial of service condition on the device’s web server by sending a specially crafted HTTP message to the web server port (tcp/80). The security vulnerability could be exploited by an attacker with network access to an affected device.
Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise the availability of the device’s web service. While the device itself stays operational, the web server responds with HTTP status code 404 (Not found) to any further request. A reboot is required to recover the web interface. At the time of advisory publication no public exploitation of this security vulnerability was known.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(500761);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");

  script_cve_id("CVE-2019-13927");

  script_name(english:"Siemens Desigo PX Devices External Control of Assumed-Immutable Web Parameter (CVE-2019-13927)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in Desigo PX automation
controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D with Desigo
PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 (All firmware versions <
V6.00.320), Desigo PX automation controllers PXC00-U, PXC64-U,
PXC128-U with Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 (All
firmware versions < V6.00.320), Desigo PX automation controllers
PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D with activated web server (All
firmware versions < V6.00.320). The device contains a vulnerability
that could allow an attacker to cause a denial of service condition on
the device's web server by sending a specially crafted HTTP message to
the web server port (tcp/80). The security vulnerability could be
exploited by an attacker with network access to an affected device.
Successful exploitation requires no system privileges and no user
interaction. An attacker could use the vulnerability to compromise the
availability of the device's web service. While the device itself
stays operational, the web server responds with HTTP status code 404
(Not found) to any further request. A reboot is required to recover
the web interface. At the time of advisory publication no public
exploitation of this security vulnerability was known.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-19-318-03");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens has an update available for the following affected products:

- PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D with Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2: Install
v6.00.320 or a later version.
- PXC00-U, PXC64-U, PXC128-U with Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2: Install v6.00.320 or a later
version.
- PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D with activated web server: Install v6.00.320 or a later version.

Siemens has identified the following specific workarounds and mitigations that users can apply to reduce risk:

- Ensure the PX Web interface is accessible only from trusted networks.

As a general security measure, Siemens strongly recommends customers protect network access to affected products with
appropriate mechanisms. Siemens advises all users to follow recommended security practices to run the devices in a
protected environment.

For more information on security vulnerabilities in Siemens products and solutions, please contact the Siemens
ProductCERT:http://www.siemens.com/cert/advisories

For more information on the vulnerability and more detailed mitigation instructions, please see Siemens Security
Advisory SSA-898181 at the following location: http://www.siemens.com/cert/advisories");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-13927");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(668);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/12/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/25");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:pxc00-e.d_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:pxc100-e.d_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:pxc200-e.d_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:pxc50-e.d_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:pxc00-e.d_firmware" :
        {"versionEndExcluding" : "6.00.320", "family" : "Desigo"},
    "cpe:/o:siemens:pxc50-e.d_firmware" :
        {"versionEndExcluding" : "6.00.320", "family" : "Desigo"},
    "cpe:/o:siemens:pxc100-e.d_firmware" :
        {"versionEndExcluding" : "6.00.320", "family" : "Desigo"},
    "cpe:/o:siemens:pxc200-e.d_firmware" :
        {"versionEndExcluding" : "6.00.320", "family" : "Desigo"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);

VendorProductVersionCPE
siemenspxc00-e.d_firmwarecpe:/o:siemens:pxc00-e.d_firmware
siemenspxc100-e.d_firmwarecpe:/o:siemens:pxc100-e.d_firmware
siemenspxc200-e.d_firmwarecpe:/o:siemens:pxc200-e.d_firmware
siemenspxc50-e.d_firmwarecpe:/o:siemens:pxc50-e.d_firmware

Vendor	Product	CPE
siemens	pxc00-e.d_firmware	cpe:/o:siemens:pxc00-e.d_firmware
siemens	pxc100-e.d_firmware	cpe:/o:siemens:pxc100-e.d_firmware
siemens	pxc200-e.d_firmware	cpe:/o:siemens:pxc200-e.d_firmware
siemens	pxc50-e.d_firmware	cpe:/o:siemens:pxc50-e.d_firmware