Siemens Patches Insufficient Entropy Vulnerability in ICS Systems

German industrial giant Siemens has provided a firmware update addressing vulnerabilities that are found in a popular line of its Desigo PX industrial control hardware used in controlling primarily HVAC systems in commercial buildings .

On Wednesday, Siemens, in coordination with ICS-CERT, issued an advisory regarding an insufficient entropy vulnerability that could be exploited remotely.

“A successful exploitation of this vulnerability could allow an attacker to recover private keys used for HTTPS in the integrated web server,” according to the advisory.

A list of affected Desigo PX Web modules include PXA40-W0, PXA40-W1, PXA40-W2 for Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D. Siemens also listed Web modules PXA30-W0, PXA30-W1, PXA30-W2 for Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U. In all of the cases, impacted are modules running firmware versions prior to V6.00.046.

The vulnerability (CVE-2016-9154) is tied to the Desigo PX Web modules. Desigo PX is a Siemens hardware and software solution for industrial building automation for controlling everything from HVAC systems to alarm signaling, according to the company’s website. The Web modules are for extending control of the Desigo PX outside of a facility via the Internet.

The vulnerability might allow attackers to hijack web sessions over a network without authentication due to insufficient entropy in its random number generator. “The affected devices use a pseudo random number generator with insufficient entropy to generate certificates for HTTPS, potentially allowing remote attackers to reconstruct the corresponding private key,” the Siemens bulletin describes.

According to Open Web Application Security Project (OWASP), this vulnerability occurs when an undesirably low amount of entropy is available. “Psuedo Random Number Generators are susceptible to suffering from insufficient entropy when they are initialized, because entropy data may not be available to them yet,” OWASP describes.

Siemens has provided a firmware update (V6.00.046) which fixes the vulnerability in the Desigo PX modules. The company said there are no known public exploits of this vulnerability and doing so would be difficult.

A group of security researchers from the University of Pennsylvania coordinated finding and reporting the vulnerability directly to Siemens. Researchers include; Marcella Hastings, Joshua Fried and Nadia Heninger.