Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-24041

A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The web application stores the PBKDF2 derived key of users passwords with a low iteration count. An attacker with user profile access privilege can retrieve the stored password hashes of other accounts and then successfully perform an offline cracking attack and recover the plaintext passwords of other users.

Published

2022-05-10T11:15:08.343

Last Modified

2024-11-21T06:49:42.903

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-916
Type: Primary
CWE-916

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	siemens	desigo_pxc5_firmware	< 02.20.142.10-10884	Yes
Hardware	siemens	desigo_pxc5	-	No
Operating System	siemens	desigo_pxc4_firmware	< 02.20.142.10-10884	Yes
Hardware	siemens	desigo_pxc4	-	No
Operating System	siemens	desigo_pxc3_firmware	< 01.21.142.4-18	Yes
Hardware	siemens	desigo_pxc3	-	No
Operating System	siemens	desigo_dxr2_firmware	< 01.21.142.5-22	Yes
Hardware	siemens	desigo_dxr2	-	No

References

https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf Vendor Advisory ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)