← Advisories

Siemens Desigo PX V6.00 Web Remote Denial of Service Exploit

Medium
Advisory ID
ZSL-2019-5542
Release Date
13 November 2019
Vendor
Siemens AG - https://www.siemens.com
Affected Version
Model: PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D, With Desigo PX Web modules: PXA40-W0, PXA40-W1, PXA40-W2, All firmware versions < V6.00.320, ------, Model: PXC00-U, PXC64-U, PXC128-U, With Desigo PX Web modules: PXA30-W0, PXA30-W1, PXA30-W2, All firmware versions < V6.00.320, ------, Model: PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D, With activated web server, All firmware versions < V6.00.320
CVE
CVE-2019-13927
Tested On
HP StorageWorks MSL4048 httpd
Summary

Desigo PX is a modern building automation and control system for the entire field of building service plants. Scalable from small to large projects with highest degree of energy efficiency, openness and user-friendly operation.

Description

The device contains a vulnerability that could allow an attacker to cause a denial of service condition on the device's web server by sending a specially crafted HTTP message to the web server port (tcp/80). The security vulnerability could be exploited by an attacker with network access to an affected device. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise the availability of the device's web service. While the device itself stays operational, the web server responds with HTTP status code 404 (Not found) to any further request. A reboot is required to recover the web interface.

Proof of Concept
desigopx.shTXT
Disclosure Timeline
06.06.2019Vulnerability discovered.
20.08.2019Vendor contacted.
21.08.2019Vendor responds asking more details, providing PGP key.
21.08.2019Sent encrypted details to the vendor.
22.08.2019Vendor responds. Forwarded to product team.
23.08.2019Replied to the vendor.
28.08.2019Vendor confirms the vulnerability in all PX models and versions that have pxweb enabled.
28.08.2019Replied to the vendor.
29.08.2019Vendor replied. Assigns CVE and scheduled advisory release date. Working on a fix.
30.08.2019Replied to the vendor.
23.10.2019Follow up from the vendor. Expected advisory release: 12th of November.
24.10.2019Replied to the vendor.
24.10.2019Vendor provides additional information regarding versions and models affected.
06.11.2019Vendor releases fix for Desigo PX, advisory scheduled to be released on 12th of November.
08.11.2019Replied to the vendor.
12.11.2019Vendor releases advisory SSA-898181.
13.11.2019Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
High five to Stevie!
References
[1]https://support.industry.siemens.com/cs/document/109772802
[2]https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications
[3]https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf
[4]https://cert-portal.siemens.com/productcert/txt/ssa-898181.txt
[5]https://new.siemens.com/global/en/products/services/cert/hall-of-thanks.html
[6]https://new.siemens.com/global/en/company/stories/research-technologies/cybersecurity/rhythm-for-security.html
[7]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13927
[8]https://nvd.nist.gov/vuln/detail/CVE-2019-13927
[9]https://exchange.xforce.ibmcloud.com/vulnerabilities/171445
[10]https://packetstormsecurity.com/files/155321
[11]https://www.exploit-db.com/exploits/47657
[12]https://www.us-cert.gov/ics/advisories/icsa-19-318-03
[13]https://www.symantec.com/security-center/vulnerabilities/writeup/110866
Changelog
13.11.2019Initial release
14.11.2019Added reference [9], [10], [11] and [12]
15.11.2019Added reference [13]