Siemens Desigo PX V6.00 Web Remote Denial of Service Exploit

Title: Siemens Desigo PX V6.00 Web Remote Denial of Service Exploit
Advisory ID: ZSL-2019-5542
Type: Local/Remote
Impact: DoS
Risk: (3/5)
Release Date: 13.11.2019
Summary
Desigo PX is a modern building automation and control system for the entire field of building service plants. Scalable from small to large projects with highest degree of energy efficiency, openness and user-friendly operation.
Description
The device contains a vulnerability that could allow an attacker to cause a denial of service condition on the device's web server by sending a specially crafted HTTP message to the web server port (tcp/80). The security vulnerability could be exploited by an attacker with network access to an affected device. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise the availability of the device's web service. While the device itself stays operational, the web server responds with HTTP status code 404 (Not found) to any further request. A reboot is required to recover the web interface.
Vendor
Siemens AG - https://www.siemens.com
Affected Version
Model: PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D
With Desigo PX Web modules: PXA40-W0, PXA40-W1, PXA40-W2
All firmware versions < V6.00.320
------
Model: PXC00-U, PXC64-U, PXC128-U
With Desigo PX Web modules: PXA30-W0, PXA30-W1, PXA30-W2
All firmware versions < V6.00.320
------
Model: PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D
With activated web server
All firmware versions < V6.00.320
Tested On
HP StorageWorks MSL4048 httpd
Vendor Status
[06.06.2019] Vulnerability discovered.
[20.08.2019] Vendor contacted.
[21.08.2019] Vendor responds asking more details, providing PGP key.
[21.08.2019] Sent encrypted details to the vendor.
[22.08.2019] Vendor responds. Forwarded to product team.
[23.08.2019] Replied to the vendor.
[28.08.2019] Vendor confirms the vulnerability in all PX models and versions that have pxweb enabled.
[28.08.2019] Replied to the vendor.
[29.08.2019] Vendor replied. Assigns CVE and scheduled advisory release date. Working on a fix.
[30.08.2019] Replied to the vendor.
[23.10.2019] Follow up from the vendor. Expected advisory release: 12th of November.
[24.10.2019] Replied to the vendor.
[24.10.2019] Vendor provides additional information regarding versions and models affected.
[06.11.2019] Vendor releases fix for Desigo PX, advisory scheduled to be released on 12th of November.
[08.11.2019] Replied to the vendor.
[12.11.2019] Vendor releases advisory SSA-898181.
[13.11.2019] Coordinated public security advisory released.
PoC
desigopx.sh
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Stevie!
References
[1] https://support.industry.siemens.com/cs/document/109772802
[2] https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications
[3] https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf
[4] https://cert-portal.siemens.com/productcert/txt/ssa-898181.txt
[5] https://new.siemens.com/global/en/products/services/cert/hall-of-thanks.html
[6] https://new.siemens.com/global/en/company/stories/research-technologies/cybersecurity/rhythm-for-security.html
[7] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13927
[8] https://nvd.nist.gov/vuln/detail/CVE-2019-13927
[9] https://exchange.xforce.ibmcloud.com/vulnerabilities/171445
[10] https://packetstormsecurity.com/files/155321
[11] https://www.exploit-db.com/exploits/47657
[12] https://www.us-cert.gov/ics/advisories/icsa-19-318-03
[13] https://www.symantec.com/security-center/vulnerabilities/writeup/110866
Changelog
[13.11.2019] - Initial release
[14.11.2019] - Added reference [9], [10], [11] and [12]
[15.11.2019] - Added reference [13]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk